LNCS 11348
Anupam Chattopadhyay Chester Rebeiro Yuval Yarom (Eds.)
Security, Privacy, and Applied Cryptography Engineering 8th International Conference, SPACE 2018 Kanpur, India, December 15–19, 2018 Proceedings
123
Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board David Hutchison Lancaster University, Lancaster, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Friedemann Mattern ETH Zurich, Zurich, Switzerland John C. Mitchell Stanford University, Stanford, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel C. Pandu Rangan Indian Institute of Technology Madras, Chennai, India Bernhard Steffen TU Dortmund University, Dortmund, Germany Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max Planck Institute for Informatics, Saarbrücken, Germany
11348
More information about this series at http://www.springer.com/series/7410
Anupam Chattopadhyay Chester Rebeiro Yuval Yarom (Eds.) •
Security, Privacy, and Applied Cryptography Engineering 8th International Conference, SPACE 2018 Kanpur, India, December 15–19, 2018 Proceedings
123
Editors Anupam Chattopadhyay School of Computer Science and Engineering Nanyang Technological University Singapore, Singapore
Yuval Yarom University of Adelaide Adelaide, Australia
Chester Rebeiro Indian Institute of Technology Madras Chennai, India
ISSN 03029743 ISSN 16113349 (electronic) Lecture Notes in Computer Science ISBN 9783030050719 ISBN 9783030050726 (eBook) https://doi.org/10.1007/9783030050726 Library of Congress Control Number: 2018962545 LNCS Sublibrary: SL4 – Security and Cryptology © Springer Nature Switzerland AG 2018 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, speciﬁcally the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microﬁlms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a speciﬁc statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional afﬁliations. This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Preface
The Conference on Security, Privacy, and Applied Cryptography Engineering 2018 (SPACE 2018), was held during December 15–19, 2018, at the Indian Institute of Technology Kanpur, India. This annual event is devoted to various aspects of security, privacy, applied cryptography, and cryptographic engineering. This is a challenging ﬁeld, requiring expertise from diverse domains, ranging from mathematics to solidstate circuit design. This year we received 34 submissions from 11 different countries. The submissions were evaluated based on their signiﬁcance, novelty, technical quality, and relevance to the SPACE conference. The submissions were reviewed in a doubleblind mode by at least three members of the 36member Program Committee. The Program Committee was aided by 22 additional reviewers. The Program Committee meetings were held electronically, with intensive discussions. After an extensive review process, 12 papers were accepted for presentation at the conference, for an acceptance rate of 35.29%. The program also included six invited talks and ﬁve tutorials on several aspects of applied cryptology, delivered by worldrenowned researchers: Nasour Bagheri, Shivam Bhasin, Jo Van Bulck, Shay Gueron, Avi Mendelson, Mridul Nandi, Abhik Roychoudhury, Sandeep Shukla, Vanessa Teague, and Eran Toch. We sincerely thank the invited speakers for accepting our invitations in spite of their busy schedules. Like its previous editions, SPACE 2018 was organized in cooperation with the International Association for Cryptologic Research (IACR). We are thankful to the Indian Institute of Technology Kanpur for being the gracious host of SPACE 2018. There is a long list of volunteers who invested their time and energy to put together the conference, and who deserve accolades for their efforts. We are grateful to all the members of the Program Committee and the additional reviewers for all their hard work in the evaluation of the submitted papers. We thank Cool Press Ltd., owner of the EasyChair conference management system, for allowing us to use it for SPACE 2018, which was a great help. We thank our publisher Springer for agreeing to continue to publish the SPACE proceedings as a volume in the Lecture Notes in Computer Science (LNCS) series. We are grateful to the local Organizing Committee, especially to the organizing chair, Sandeep Shukla, who invested a lot of effort for the conference to run smoothly. Our sincere gratitude to Debdeep Mukhopadhyay, Veezhinathan Kamakoti, and Sanjay Burman for being constantly involved in SPACE since its very inception and responsible for SPACE reaching its current status.
VI
Preface
Last, but certainly not least, our sincere thanks go to all the authors who submitted papers to SPACE 2018, and to all the attendees. The conference is made possible by you, and it is dedicated to you. We sincerely hope you ﬁnd the proceedings stimulating and inspiring. October 2018
Anupam Chattopadhyay Chester Rebeiro Yuval Yarom
Organization
General Cochairs Sandeep Shukla Manindra Agrawal
Indian Institute of Technology Kanpur, India Indian Institute of Technology Kanpur, India
Program Cochairs Anupam Chattopadhyay Chester Rebeiro Yuval Yarom
Nanyang Technological University, Singapore Indian Institute of Technology Madras, India The University of Adelaide, Australia
Local Organizing Committee Biswabandan Panda Pramod Subramanyan Shashank Singh
Indian Institute of Technology Kanpur, India Indian Institute of Technology Kanpur, India Indian Institute of Technology Kanpur, India
Young Researcher’s Forum Santanu Sarkar Vishal Saraswat
Indian Institute of Technology Madras, India Indian Institute of Technology Jammu, India
Web and Publicity Sourav Sen Gupta
Nanyang Technological University, Singapore
Program Committee Divesh Aggarwal Reza Azarderakhsh Lejla Batina Shivam Bhasin Swarup Bhunia Billy Brumley Arun Balaji Buduru Claude Carlet Rajat Subhra Chakraborty Anupam Chattopadhyay JeanLuc Danger
Ecole Polytechnique Fédérale de Lausanne, France Florida Atlantic University, USA Radboud University, The Netherlands Temasek Labs, Singapore University of Florida, USA Tampere University of Technology, Finland Indraprastha Institute of Information Technology Delhi, India University of Paris 8, France Indian Institute of Technology Kharagpur, India Nanyang Technological University, Singapore Institut Télécom/Télécom ParisTech, CNRS/LTCI, France
VIII
Organization
Thomas De Cnudde Junfeng Fan Daniel Gruss Sylvain Guilley Jian Guo Naofumi Homma Kwok Yan Lam Yang Liu Subhamoy Maitra Mitsuru Matsui Philippe Maurine Bodhisatwa Mazumdar Pratyay Mukherjee Debdeep Mukhopadhyay Chester Rebeiro Bimal Roy Somitra Sanadhya Vishal Saraswat Santanu Sarkar Sourav Sengupta Sandeep Shukla Sujoy Sinha Roy Mostafa Taha Yuval Yarom Amr Youssef
K.U. Leuven, Belgium Open Security Research, China Graz University of Technology, Austria Institut Télécom/Télécom ParisTech, CNRS/LTCI, France Nanyang Technological University, Singapore Tohoku University, Japan Nanyang Technological University, Singapore Nanyang Technological University, Singapore Indian Statistical Institute Kolkata, India Mitsubishi Electric, Japan LIRMM, France Indian Institute of Technology Indore, India Visa Research, USA Indian Institute of Technology Kharagpur, India Indian Institute of Technology Madras, India Indian Statistical Institute, Kolkata, India Indian Institute of Technology Ropar, India Indian Institute of Technology Jammu, India Indian Institute of Technology Madras, India Nanyang Technological University, Singapore Indian Institute of Technology Kanpur, India KU Leuven, Belgium Western University, Canada The University of Adelaide, Australia Concordia University, Canada
Additional Reviewers Cabrera Aldaya, Alejandro Carre, Sebastien Chattopadhyay, Nandish Chauhan, Amit Kumar Datta, Nilanjan Guilley, Sylvain Hou, Xiaolu Jap, Dirmanto Jha, Sonu Jhawar, Mahavir Kairallah, Mustafa
Marion, Damien Massolino, Pedro Maat Mozaffari Kermani, Mehran Méaux, Pierrick Patranabis, Sikhar Poll, Erik Raikwar, Mayank Roy, Debapriya Basu Saarinen, MarkkuJuhani Olavi Saha, Sayandeep
Keynote Talks/Tutorials Talks
Symbolic Execution vs. Search for Software Vulnerability Detection and Patching
Abhik Roychoudhury School of Computing, National University of Singapore
[email protected] Abstract. Many of the problems of software security involve search in a large domain, for which biased random searches have been traditionally employed. In the past decade, symbolic execution via systematic program analysis has emerged as a viable alternative to solve these problems, albeit with higher overheads of constraint accumulation and backend constraint solving. We take a look at how some of the systematic aspect of symbolic execution can be imparted into biasedrandom searches. Furthermore, we also study how symbolic execution can be useful for purposes other than guided search, such as extracting the intended behavior of a buggy/vulnerable application. Extracting the intended program behavior, enables software security tasks such as automated program patching, since the intended program behavior can provide the correctness criterion for guiding automated program repair. Keywords: Fuzz testing Greybox fuzzing Automated program repair
1 Introduction Software security typically involves a host of problems ranging from vulnerability detection, exploit generation, reaching nooks and corners of software for greater coverage, program hardening and program patching. Many of these problems can be envisioned as huge search problems, for example the problem of vulnerability detection can be seen as a search for problematic inputs in the input space. Similarly the problem of repairing or healing programs automatically can be seen as searching in the (huge) space of candidate patches or mutations. For these reasons, biased random searches have been used for many search problems in software security. In these settings, a moreorless random search is conducted over a domain with the search being guided or biased by an objective function. The migration from one part of the space to another is aided by some mutation operators. A common embodiment of such biased random searches is the genetic search inherent in popular greybox fuzzers like American Fuzzy Lop or AFL [1] which try to ﬁnd inputs to crash a given program. In the past decade symbolic or concolic execution has emerged as a viable alternative for guiding huge search problems in software security. Roughly speaking, symbolic execution works in one of two modes. Either the program is executed with a symbolic or unknown input and an execution tree is constructed. Then, the constraint along each roottoleaf path in the tree is solved to generate sample inputs or tests.
XII
A. Roychoudhury
Alternatively, in concolic execution, a random input i is generated and the constraint capturing its execution path is constructed to capture all inputs which follow the same path as i. Subsequently, the constraint captured from i’s path is systematically mutated and the mutated constraints are solved to ﬁnd inputs traversing other paths in the program. The aim is to enhance the path coverage for the set of inputs generated. The path constraint for a program path p, denoted pcðpÞ captures the set of inputs which trace the path p. An overview of symbolic execution for vulnerability detection and test generation appears in [2].
2 Symbolic Analysis Inspired Search Let us consider the general problem of software vulnerability detection. Symbolic execution and search techniques both have their pros and cons. For this reason, software vulnerability detection or fuzz testing considers three flavors. The goal here is to generate program inputs which will expose program vulnerabilities. Thus, it involves a search over the domain of program inputs. – Blackbox fuzzing considers the input domain and performs mutations on program inputs, without any view of the program. – Greybox fuzzing has a limited view of the program such as transitions between basic blocks via compiletime instrumentation. The instrumentation helps us predict during runtime about the coverage achieved by existing set of tests, and accordingly mutations can be employed on selected tests to enhance coverage. – Whitebox fuzzing has a full view of the program, which is analyzed via symbolic execution. Symbolic execution along a path produces a logical formula in the form of a path constraint. The path constraint is mutated, and the mutated logical formula is solved to (repeatedly) generate tests traversing other program paths. Symbolic execution is clearly more systematic than greybox/blackbox fuzzing, and it is geared to traverse a new program path, when a new test input is generated. At the same time, it comes with the overheads of constraint solving and program analysis. In recent work, we have studied how ideas inspired from symbolic execution can augment the underlying genetic search in a greybox fuzzer, such as AFL. In our recent work on AFLFast [3], we have suggested a prioritization mechanism for mutating inputs. In conventional AFL, any input selected for mutation is treated “similarly”, that is, any selected input may be mutated a ﬁxed number of times to examine the“neighbourhood” of the input. Instead, given an input, we seek to predict whether the input traces a “rare” path, a path that is frequented by few inputs. For these predicted rare paths, we subject them to enhanced examination by mutating such inputs more number of times. The amount of mutation done for a test input is governed by a socalled power schedule. Another use of symbolic execution lies in reachability analysis. Speciﬁcally it is useful for ﬁnding the constraints under which a location can be reached. If paths p1 and p2 reach a control location L in the program, then inputs reaching L can be obtained by
Symbolic Execution vs. Search for Software Vulnerability Detection and Patching
XIII
solving pcðp1 Þ _ pcðp2 Þ where pcðpi Þ is the path constraint for path pi . We can incorporate this kind of reachability analysis into the genetic search inherent in greybox fuzz testing tools like AFL. In a recent work, we have developed AFLGo [4], a directed greybox fuzzer built on top of AFL [1]. Given one or more target locations to reach, at the compile time, we instrument each basic block with approximate values of distance to the target location(s). The distance is then used in the power schedule. At the initial stages of a fuzzing session, thus the distance is not used and the search is primarily geared towards exploration. At a certain point of time, the search moves from exploration to exploitation and tries to devote more time mutating inputs whose paths are deemed to be close to the target location(s). Such an enhancement of greybox fuzzing is an example of how the systematic nature of symbolic analysis can be imparted into searchbased software security tasks.
3 Symbolic Reasoning for Program Repair Of late, we have also explored how symbolic reasoning can be used for purposes other than guiding search or reaching locations in a program. In particular, we observe that symbolic execution can be used to extract a speciﬁcation of the intended behavior of a program, directly by analyzing a buggy program. This, indeed, is a key issue, since formal speciﬁcations of intended behavior are often not available. As a result, we can envision using symbolic execution for completely new purposes, such as automated program repair or selfhealing software. The problem of automated program repair can be formally stated as follows. Given a buggy program P and a correctness criterion given as a set of tests T, how do we construct P0 , the minimal modiﬁcation of P which passes the testsuite T. Once again, the problem of program repair can be seen as a huge search problem in itself, it involves searching in the huge space of candidate patches of P. For this purpose, genetic search has been employed as evidenced in the GenProg tool [5]. Such a tool is based on a generate and validate approach, patches are generated, often by copying/mutating code from elsewhere in the program or from earlier program versions, and these generated patches are checked against the given tests T. Genetic search has also been used for program transplantation, a problem related to program repair, where key functionality is transplanted from one program to another [6]. Given certain weak speciﬁcations of correctness, such as a given testsuite T, we can instead try to extract a glimpse of the speciﬁcation about intended program behavior, using symbolic execution. Such speciﬁcations can act as a repair constraint, a constraint that needs to be satisﬁed for the program to pass T. Subsequently, program synthesis technology can be used to synthesize patches meeting the repair constraint. Such an approach has been suggested by the SemFix work [7] and subsequently made more scalable via the Angelix tool [8] which performs multiline program repair. Furthermore, such general purpose program repair tools have been shown to be useful for automatically generating patches for wellknown security vulnerabilities such as the Heartbleed vulnerability.
XIV
A. Roychoudhury
There also exist opportunities for generating patches systematically from earlier program versions if one is available. If an earlier program version is available, one can repair for absence of regressions via the simultaneous symbolic analysis of the earlier and current program versions [9]. Such a technique leads to provably correct repairs, which can greatly help in making automated program repair an useful tool in building trustworthy systems. Acknowledgments. This research is supported in part by the National Research Foundation, Prime Ministers Ofﬁce, Singapore under its National Cybersecurity R&D Program (Award No. NRF2014NCRNCR00121) and administered by the National Cybersecurity R&D Directorate.
References 1. Zalewski, M.: American fuzzy lop (2018). http://lcamtuf.coredump.cx/aﬂ/ 2. Cadar, C., Sen, K.: Symbolic execution for software testing: three decades later. Commun. ACM 56(2), 82–90 (2013) 3. Böhme, M., Van Pham, T., Roychoudhury, A.: Coverage based greybox fuzzing as a markov chain. In: 23rd ACM Conference on Computer and Communications Security (CCS) (2016) 4. Böhme, M., Pham, V.T., Nguyen, M.D., Roychoudhury, A.: Directed greybox fuzzing. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS) (2017) 5. Weimer, W., Nguyen, T.V., Le Goues, C., Forrest, S.: Automatically ﬁnding patches using genetic programming. In: ACM/IEEE International Conference on Software Engineering (ICSE) (2009) 6. Barr, E.T., Brun, Y., Devanbu, P., Harman, M., Sarro, F.: The plastic surgery hypothesis. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE) (2014) 7. Nguyen, H.D.T., Qi, D., Roychoudhury, A., Chandra, S.: SemFix: program repair via semantic analysis. In: ACM/IEEE International Conference on Software Engineering (ICSE) (2013) 8. Mechtaev, S., Yi, J., Roychoudhury, A.: Angelix: scalable multiline program patch synthesis via symbolic analysis. In: ACM/IEEE International Conference on Software Engineering (ICSE) (2016) 9. Mechtaev, S., Nguyen, M.D., Noller, Y., Lars, G., Roychoudhury, A.: Semantic program repair using a reference implementation. In: ACM/IEEE International Conference on Software Engineering (ICSE) (2018)
Persistence Wears down Resistance: Persistent Fault Analysis on Unprotected and Protected Block Cipher Implementations (Extended Abstract) Shivam Bhasin1, Jingyu Pan1,2, and Fan Zhang2 1
Temasek Laboratories, Nanyang Technological University, Singapore
[email protected] 2 Zhejiang University, China joeypan,
[email protected]
Abstract. This works gives an overview of persistent fault attacks on block ciphers, a recently introduced fault analysis technique based on persistent faults. The fault typically targets stored constant of cryptographic algorithms over several encryption calls with a single injection. The underlying analysis technique statistically recovers the secret key and is capable of defeating several popular countermeasures by design. Keywords: Fault attacks Modular redundancy Persistent fault
1 Introduction Fault attacks [1, 2] are active physical attacks that use external means to disturb normal operations of a target device leading to security vulnerability. These attacks have been widely used for key recovery from widely used standard cryptographic schemes, such as AES, RSA, ECC etc. Several types of faults can be exploited to mount such attacks. Commonly known fault types are transient and permanent. A transient fault, which is most commonly used, generally affects only one instance of the target function call (eg. one encryption). On the other hand, a permanent fault, normally owing to device defects, affects all calls to the target function. Based on these two fault types, several analysis techniques have been developed. The most common are differential in nature, which require a correct and faulty computation with same inputs, to exploit the difference of ﬁnal correct and faulty output pair for key recovery. Common examples of such techniques are differential fault analysis (DFA) [2], algebraic fault analysis (AFA) [4], etc. Some analyses are also based on statistical methods which can exploit faulty ciphertexts only like statistical fault analysis (SFA) [5] and fault sensitivity analysis (FSA) [6]. Recently, a new fault analysis technique was proposed [8] with a persistent fault model. Persistent fault lies between transient and permanent faults. Unlike transient fault, it affects several calls of the target function, however, persistent fault is not
XVI
S. Bhasin et al.
permanent, and disappears with a device reset/reboot. The corresponding analysis technique is called Persistent Fault Analysis (PFA) [8].
2 Persistent Fault Analysis (PFA) PFA [8] is based on persistent fault model. In the following, the fault is assumed to alter a stored constant (like one or more entries in Sbox lookup) in the target algorithm, typically stored in a ROM. The attacker observes multiple ciphertext outputs with varying plaintext (not known). The modus operandi of PFA is explained with the following example. Let us take PRESENT cipher which uses a 4 4 Sbox i.e. 1 16 elements of 4bits each, where each element has an equal expectation E of 16 . 0 A persistent fault alters value of element x in Sbox to another element x , it makes 2 1 , while all other elements still have the expectation 16 . The output EðxÞ ¼ 0; Eðx0 Þ ¼ 16 ciphertext is still correct if faulty element x is never accessed during the encryption else the output is faulty. This difference can be statistically observed in the ﬁnal ciphertext where some values will be missing (related to x) and some occuring more often than others (due to x0 ), which leaks information on the key k. This is illustrated in Fig. 1 (top) with x ¼ 10; x0 ¼ 8. The key can be recovered even if x; x0 are not known by simple bruteforcing. The strategy for key recovery can be one of the following: 1. tmin : ﬁnd the missing value in Sbox table. Then k ¼ tmin x; 2. t ¼ 6 tmin : ﬁnd other values t where t 6¼ tmin and eliminate candidates for k; 3. tmax : ﬁnd the value with maximal probability k ¼ tmax x0 . The distribution of tmin or tmax can be statistically distinguished from the rest. The minimum number of ciphertexts N follows the classical coupon collector’s problem [3] b ð2X 1Þ 1 b where it needs N ¼ ð2 1Þ ð Þ, where b is the bit width of x. In PRESENT i i¼1 (b ¼ 4) N 50, as shown in Fig. 1 (bottom).
Persistence Wears down Resistance: Persistent Fault Analysis on Unprotected
XVII
Fig. 1. Overview of Persistent Fault Attack (top), distribution of tmin and tmax against no. of ciphertexts for PRESENT leading to key recovery (bottom)
2.1
PFA vs Other Fault Analysis
Here we list the key merits and demerits of PFA against other fault analysis. Merits – The main advantage of PFA is that it needs only one fault injection, which reduces the injection effort to minimum. Fault targets a constant in memory which persists over several following encryptions. This also reduces the injection effort in terms of timing precision within an injection. Moreover, live detection by sensors can be bypassed by injecting before the sensitive computation starts and sensors become active. – The attack is statistical on ciphertexts only, and thus unlike differential attacks, needs no control over plaintexts.
XVIII
S. Bhasin et al.
– The fault model remains relaxed compared to other statistical attacks which may require multiple injections (one per encryption) with a known bias or additional sidechannel information. – Unlike any other known attacks, PFA can also be applied in the multiple fault (in a single encryption) setting. Demerits – Being statistical in nature, it needs a higher number of ciphertexts as compared to DFA. Some known DFA can lead to key recovery with 1 or 2 correct/faulty ciphertext pair. – Persistent faults can be detected by builtin self check mechanism. 2.2
Application of PFA on Countermeasures
PFA has natural properties which make several countermeasures vulnerable. The details on analysis of the countermeasure remain out of scope of this extended abstract due to limited space and interested readers are encouraged to refer [8]. Dual modular redundancy (DMR) is a popular fault countermeasure. The most common DMR proposes to compute twice and compare outputs. This countermeasure is naturally vulnerable to PFA if shared memories for constants are used, which is often the case due to resource constraint environments. Other proposals use separate memories or compute forward followed by compute inverse and compare inputs. All these countermeasures output a correct ciphertext when no fault is injected. For a detected fault, the faulty output can be suppressed by no ciphertext output (NCO), zero value output (ZVO), or random ciphertext output (RCO) [8]. As PFA leaves certain probability for correct ciphertext output despite the persistent fault, it leads to key recovery using statistical method. However, more ciphertexts would be required in the analysis as some information is suppressed by the DMR countermeasure. Masking [7] on the other hand is a side channel countermeasure which is widely studied. As a persistent fault injects a bias in the underlying computation due to a biased constant, the bias can also affect the masking leading to key recovery.
3 Conclusion Persistent fault analysis is a powerful attack technique which can make several cryptographic schemes vulnerable. With as low as one fault injection and simple statistical analysis on ciphertexts, PFA can perform key recovery. The introduced vulnerability also extends to protected implementations. We briefly discussed the impact of PFA on modular redundancy and masking based countermeasures. Existing countermeasures and other cryptographic schemes including public key cryptography must be analyzed to check their resistance against PFA. This further motivates research for dedicated countermeasures to prevent PFA.
Persistence Wears down Resistance: Persistent Fault Analysis on Unprotected
XIX
References 1. BarEl, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. Proc. IEEE 94(2), 370–382 (2006) 2. Biham, E., Shamir, A.: Differential cryptanalysis of the data encryption standard. Cryst. Res. Technol. 17(1), 79–89 (2006) 3. Blom, G., Holst, L., Sandell, D.: Problems and Snapshots from the World of Probability. Springer, Heidelberg (2012) 4. Courtois, N.T., Jackson, K., Ware, D.: Faultalgebraic attacks on inner rounds of DES. In: eSmart’10 Proceedings: The Future of Digital Security Technologies. Strategies Telecom and Multimedia (2010) 5. Fuhr, T., Jaulmes, E., Lomne, V., Thillard, A.: Fault attacks on AES with faulty ciphertexts only. In: The Workshop on Fault Diagnosis & Tolerance in Cryptography, pp. 108–118 (2013) 6. Li, Y., Sakiyama, K., Gomisawa, S., Fukunaga, T., Takahashi, J., Ohta, K.: Fault sensitivity analysis. In: Mangard, S., Standaert, F.X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 320–334. Springer, Heidelberg (2010) 7. Rivain, M., Prouff, E.: Provably secure higherorder masking of AES. CHES 2010, 413–427 (2010) 8. Zhang, F., Lou, X., Zhao, X., Shivam, B., He, W., Ding, R., Qureshi, S., Ren, K.: Persistent fault analysis on block ciphers. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3), 150– 172 (2018)
Tutorial: Uncovering and Mitigating SideChannel Leakage in Intel SGX Enclaves
Jo Van Bulck and Frank Piessens imecDistriNet, KU Leuven, Celestijnenlaan 200A, B3001 Belgium {jo.vanbulck,frank.piessens}@cs.kuleuven.be Abstract. The inclusion of the Software Guard eXtensions (SGX) in recent Intel processors has been broadly acclaimed for bringing strong hardwareenforced trusted computing guarantees to mass consumer devices, and for protecting end user data in an untrusted cloud environment. While SGX assumes a very strong attacker model and indeed even safeguards enclave secrets against a compromised operating system, recent research has demonstrated that considerable private data (e.g., full text and images, complete cryptographic keys) may still be reconstructed by monitoring subtle sideeffects of the enclaved execution. We argue that a systematic understanding of such sidechannel leakage sources is essential for writing intrinsically secure enclave applications, and will be instrumental to the success of this new trusted execution technology. This tutorial and writeup therefore aims to bring a better understanding of current stateoftheart sidechannel attacks and defenses on Intel SGX platforms. Participants will learn how to extract data from elementary example applications, thereby recognizing how to avoid common pitfalls and information leakage sources in enclave development. Keywords: Sidechannel Enclave SGX Tutorial
1 Introduction Trusted Execution Environments (TEEs), including Intel SGX, are a promising new technology supporting secure isolated execution of critical code in dedicated enclaves that are directly protected and measured by the processor itself. By excluding vast operating system and hypervisor code from the trusted computing base, TEEs establish a minimalist hardware rootoftrust where application developers solely rely on the correctness of the CPU and the implementation of their own enclaves. Enclaved execution hence holds the promise of enforcing strong security and privacy requirements for local and remote computations. Modern processors unintendedly leak information about (enclaved) software running on top, however, and such traces in the microarchitectural CPU state can be abused to reconstruct application secrets through sidechannel analysis. These attacks have received growing attention from the research community and signiﬁcant understanding has been built up over the past decade. While information leakage from sidechannels is generally limited to speciﬁc code or data access patterns, recent work
Tutorial: Uncovering and Mitigating SideChannel Leakage in Intel SGX Enclaves
XXI
[4, 5, 8–11] has demonstrated signiﬁcant sidechannel ampliﬁcation for enclaved execution. Ultimately, the disruptive realworld impact of sidechannels became apparent when they were used as building blocks for the highimpact Meltdown, Spectre, and Foreshadow speculation attacks (where the latter completely erodes trust on unpatched Intel SGX platforms [7]). Intel explicitly considers sidechannels out of scope, clarifying that “it is the enclave developer’s responsibility to address sidechannel attack concerns” [2]. Unfortunately, we will show that adequately preventing sidechannel leakage is particularly difﬁcult — to the extent where even Intel’s own vetted enclave entry code suffered from subtle yet dangerous sidechannel vulnerabilities [3]. As such, we argue that sidechannels cannot merely be considered out of scope for enclaved execution, but rather necessitate widespread developer education so as to establish a systematic understanding and awareness of different leakage sources. To support this cause, this tutorial and writeup present a brief systematization of current stateoftheart attacks and general guidelines for secure enclave development. All presentation material and source code for this tutorial will be made publicly available at https://github.com/jovanbulck/sgxtutorialspace18.
2 Software SideChannel Attacks on Enclaved Execution We consider a powerful class of softwareonly attacks that require only code execution on the machine executing the victim enclave. Depending on the adversary’s goals and capabilities, the malicious code can either be executing interleaved with the victim enclave (interruptdriven attacks [4, 8–11]), or launched concurrently from a coresident logical CPU core (HyperThreadingbased resource contention attacks [5]). In the following, we overview known sidechannels. Memory Accesses. Even before the ofﬁcial launch of Intel SGX, researchers showed the existence of a dangerous sidechannel [11] within the processor’s virtualtophysical address translation logic. By revoking access rights on selected enclave memory pages, and observing the associated page fault patterns, adversaries controlling the operating system can deterministically establish enclaved code and data accesses at a 4 KiB granularity. This attack technique has been proven highly practical and effective, extracting full enclave secrets in a single run and without noise. Following the classic catandmouse game, subsequent proposals to hide enclave page faults from the adversary led to an improved class of stealthy attack variants [10] that extract page table access patterns without provoking page faults. It has furthermore been demonstrated [8] that privileged adversaries can mount such interruptdriven attacks at a very precise instructionlevel granularity, which allows to accurately monitor enclave memory access patterns in the time domain so as to defeat naive spatial page alignment defense techniques [2, 8]. A complementary line of SGXbased Prime+Probe cache attacks exploit information leakage at an improved 64byte cache line granularity [6]. Adversaries ﬁrst load carefully selected memory locations into the shared CPU cache, and afterwards
XXII
J. Van Bulck and F. Piessens
measure the time to reload these addresses to establish code and data evictions by the victim enclave. As with the paging channel above, these attacks commonly exploit the adversary’s control over untrusted system software to frequently interrupt the victim enclave and gather sidechannel information at a maximum temporal resolution [8]. This is not a strict requirement, however, as it has been demonstrated that even unprivileged attacker processes can concurrently monitor enclave cache access patterns in realtime [6]. In summary, the above research results show that enclave code and data accesses on SGX platforms can be accurately reconstructed, both in space (at a 4 KiB or 64byte granularity) as well as in time (after every single instruction). InstructionLevel Leakage. It has furthermore been shown that enclaveprivate control flow leaks through the CPU’s internal Branch Target Buffer [4]. These attacks essentially follow the general principle of the above Prime+Probe attacks by ﬁrst forcing the BTB cache in a known state. After interrupting the enclave, the adversary measures a dedicated shadow branch to establish whether the secretdependent victim branch was executed or not. Importantly, unlike the above memory access sidechannels, such branch shadowing attacks leak control flow at the level of individual branch instructions (i.e., basic blocks). Apart from amplifying conventional sidechannels, enclaved execution attack research has also revealed new and unexpected subcache level leakage sources. One recent work presented the Nemesis [9] attack that measures individual enclaved instruction timings through interrupt latency, allowing to partially reconstruct a.o., instruction type, operand values, address translation, and cache hits/misses. MemJam [5] furthermore exploits selective instruction timing penalties from false dependencies induced by an attackercontrolled spy thread to reconstruct enclaveprivate memory access patterns within a 64byte cache line. Speculative Execution. In the aftermath of recent x86 speculation vulnerabilities, researchers have successfully demonstrated Spectretype speculative code gadget abuse against SGX enclaves [1]. Recent work furthermore presented Foreshadow [7] which allows for arbitrary inenclave reads and completely dismantles isolation and attestation guarantees in the SGX ecosystem. Intel has since revoked the compromised attestation keys, and released microcode patches to address Foreshadow and Spectre threats at the hardware level.
3 Enclave Development Guidelines and Caveats Existing SGX sidechannel mitigation approaches generally fall down in two categories. One line of work attempts to harden enclave programs through a combination of compile time code rewriting and run time randomization or checks, so as to obfuscate the attacker’s view or detect sideeffects of an ongoing attack. Unfortunately, as these heuristic proposals do not block the root information leakage in itself, they often fall victim to improved and more versatile attack variants [5, 8, 10]. A complementary line of work therefore advocates the more comprehensive constant time approach known
Tutorial: Uncovering and Mitigating SideChannel Leakage in Intel SGX Enclaves
XXIII
from the cryptography community: eliminate secretdependent code and data paths altogether. While this approach is relatively wellunderstood for small applications, in practice even vetted crypto implementations exhibit nonconstant time behavior [5, 6, 10]. In the context of SGX, it has furthermore been shown [9, 11] that enclave secrets are typically not limited to welldeﬁned private keys, but are instead scattered throughout the code and hence much harder to manipulate in constant time. We conclude that sidechannels pose a real threat to enclaved execution, while no silver bullet exists to eliminate them at the compiler or system level. Depending on the enclave’s size and security objectives, it may be desirable to strive for intricate constant time solutions, or instead rely on heuristic hardening measures. However, further research and raising developer awareness are imperative to make such informed decisions and adequately employ TEE technology. Acknowledgments. This research is partially funded by the Research Fund KU Leuven. Jo Van Bulck is supported by the Research Foundation – Flanders (FWO).
References 1. Chen, G., Chen, S., Xiao, Y., Zhang, Y., Lin, Z., Lai, T.H.: SgxPectre attacks: Leaking enclave secrets via speculative execution arXiv:1802.09085 (2018) 2. Intel: Software guard extensions developer guide: Protection from sidechannel attacks (2017). https://software.intel.com/enus/node/703016 3. Intel: Intel Software Guard Extensions (SGX) SW Development Guidance for Potential Edger8r Generated Code Side Channel Exploits (2018) 4. Lee, S., Shih, M.W., Gera, P., Kim, T., Kim, H., Peinado, M.: Inferring ﬁnegrained control flow inside SGX enclaves with branch shadowing. In: Proceedings of the 26th USENIX Security Symposium, Vancouver, Canada (2017) 5. Moghimi, A., Eisenbarth, T., Sunar, B.: Memjam: a false dependency attack against constanttime crypto implementations in SGX. In: Smart, N.P. (ed.) Cryptographers’ Track at the RSA Conference, LNCS, vol 10808, pp. 21–44. Springer, Cham (2018) 6. Schwarz, M., Weiser, S., Gruss, D., Maurice, C., Mangard, S.: Malware guard extension: using SGX to conceal cache attacks. In: Polychronakis M., Meier M. (eds.) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2017. LNCS, vol 10327, pp. 3–24. Springer, Cham (2017) 7. Van Bulck, J., et al.: Foreshadow: extracting the keys to the Intel SGX kingdom with transient outoforder execution. In: Proceedings of the 27th USENIX Security Symposium. USENIX Association (2018) 8. Van Bulck, J., Piessens, F., Strackx, R.: SGXStep: a practical attack framework for precise enclave execution control. In: Proceedings of the 2nd Workshop on System Software for Trusted Execution, SysTEX’17, pp. 4:1–4:6. ACM (2017) 9. Van Bulck, J., Piessens, F., Strackx, R.: Nemesis: studying microarchitectural timing leaks in rudimentary CPU interrupt logic. In: Proceedings of the 25th ACM Conference on Computer and Communications Security, CCS’18 (2018)
XXIV
J. Van Bulck and F. Piessens
10. Van Bulck, J., Weichbrodt, N., Kapitza, R., Piessens, F., Strackx, R.: Telling your secrets without page faults: stealthy page tablebased attacks on enclaved execution. In: Proceedings of the 26th USENIX Security Symposium, USENIX (2017) 11. Xu, Y., Cui, W., Peinado, M.: Controlledchannel attacks: deterministic side channels for untrusted operating systems. In: 2015 IEEE Symposium on Security and Privacy, pp. 640– 656. IEEE (2015)
A Composition Result for Constructing BBB Secure PRF Nilanjan Datta1, Avijit Dutta2, Mridul Nandi2, Goutam Paul2 1
Indian Institute of Technology, Kharagpur 2 Indian Statistical Institute, Kolkata
[email protected],
[email protected],
[email protected],
[email protected] Abstract. In this paper, we propose Doubleblock HashthenSum (DbHtS), a generic design paradigm to construct a BBB secure pseudo random function. DbHtS computes a double block hash function on the message and then sum the encrypted outputs of the two hash blocks. Our result renders that if the underlying hash function meets certain security requirements (namely coverfree and blockwise universal advantage is low), DbHtS construction provides 2n / 3bit security. We demonstrate the applicability of our result by instantiating all the existing beyond birthday secure deterministic MACs (e.g., SUMECBC, PMAC_Plus, 3kf9, LightMAC_Plus) as well as their reducedkey variants.
1 Introduction Pseudo Random Function (PRF) plays an important role in symmetric key cryptography to authenticate or encrypt any arbitrary length message. Over the years, there have numerous candidates of PRFs (e.g., CBCMAC [BKR00] and many others). These PRFs give security only upto birthday bound, i.e., the mode is secure only when the total number of blocks that the mode can process does not exceed 2n=2 , where n is the block size of the underlying primitive (e.g., block cipher). Birthday bound secure constructions are acceptable in practice with a moderately large block size. However, the mode becomes vulnerable if instantiated with some smaller block size primitive. In this line of research, SUMECBC [Yas10] is the ﬁrst beyond the birthday bound (BBB) secure rate1 / 2 PRF with 2n/3bit security. Followed by this work, many BBB secure PRFs e.g., PMAC_Plus [Yas11], 3kf9 [ZWSW12], LightMAC_Plus [Nai17], 1KPMAC_Plus [DDN+17] etc. have been proposed and all of them gives roughly 2n/ 3bit security. Interestingly, all these constructions possess a common structural design which is the composition of (i) a double block hash (DbH) function that outputs a 2nbit hash value of the input message and (ii) a ﬁnalization phase that generates the ﬁnal tag by xoring the encryption of two nbit hash values. However, all these PRFs follow a different way to bound the security. This observation motivates us to come up with a generic design guideline to construct BBB secure PRFs and hence brings all the existing BBB secure PRFs under one common roof and enables us to give a uniﬁed security proof for all of them.
XXVI
N. Datta et al.
Our Contributions. We introduce Doubleblock HashthenSum (DbHtS) a generic design of BBB secure PRF by xoring the encryption of the outputs of a DbH function. Based on the usage of the keys, we call the DbHtS construction threekeyed (resp. twokeyed), if two block cipher keys are (resp. a single block cipher key is) used in the ﬁnalization phase along with the hash key. We show that if the coverfree and the blockwise universal advantage of the underlying DbH function is sufﬁciently low, then the twokeyed DbHtS is secure beyond the birthday bound. We show the applicability of this result by instantiating existing beyond birthday secure deterministic MACs (i.e., SUMECBC, PMAC_Plus, 3kf9, LightMAC_Plus) and their twokeyed variants and showing their beyond birthday bound security.
2 DbHtS : A BBB Secure PRF Paradigm Doubleblock HashthenSum (DbHtS) is a paradigm to build a BBB secure VIL PRF where the Doubleblock Hash (DbH) function is used with a very simple and efﬁcient singlekeyed or twokeyed sum function: – SINGLEKEYED SUM FUNCTION: SumK ðx; yÞ ¼ EK ðxÞ EK ðyÞ, – TWOKEYED SUM FUNCTION: SumK1 ;K2 ðx; yÞ ¼ EK1 ðxÞ EK2 ðyÞ. Given a DbH function and the sum function over two blocks, we apply the composition of the DbH function and the sum function to realize the DbHtS construction. Based on the types of sum function i.e., singlekeyed or (resp. twokeyed) used in the composition, we have three keyed or (resp. twokeyed) DbHtS construction. 2.1
Security Deﬁnitions for DbH Function
Let Kb be a set of bad hash keys. A DbH function is said to be (weak) coverfree if for any triplet of messages out of any q distinct messages, the joint probability, over a random draw of the hash key, that the values taken by the two halves of the hash outputs of a message also appears in the (corresponding) either halves of the hash outputs of two other messages of the triplet, and the sampled hash key falls to the set Kb , is low. A DbH function is said to be (weak) blockwise universal if for any pair of messages out of any q distinct messages, the joint probability, over a random draw of the hash key, that any half of the hash output for a message collides with (the same) any half of the hash output for the other message of the pair, and the sampled hash key falls to the set Kb , is low. Finally, a DbH function is said to be colliding if for any messages out of any q distinct messages, the joint probability, over a random draw of the hash key, that any half of the hash output of the message collides with other halves of the output, and the sampled hash key falls to the set Kb , is low.
A Composition Result for Constructing BBB Secure PRF
2.2
XXVII
Security Result of DbHtS
Let q denotes the maximum number of queries by any adversary and ‘ denotes the maximum number of message blocks among all q queried messages. Theorem 1 (i) If H is a cf coverfree, univ blockwise universal and coll colliding hash function for a ﬁxed set of bad hash keys Kb , then the distinguishing advantage of twokeyed DbHtS from the random function is bounded by q3 3q3 6q3 q bh þ qcoll þ cf þ n univ þ 2n þ n ; 2 6 2 2 where bh is the upper bound on the probability of a sampled hash key falls to Kb . (ii) If H is a wcf weak coverfree and wuniv weak blockwise universal hash function for a ﬁxed set of bad hash keys Kb , then the distinguishing advantage of threekeyed DbHtS from the random function is bounded by q3 3q3 2q3 bh þ wcf þ n wuniv þ 2n ; 6 2 2 where bh is the upper bound on the probability of a sampled hash key falls to Kb .
Instantiations of DbHtS In this section, we revisit two BBB secure parallel mode PRF PMAC_Plus, LightMAC_Plus and two BBB secure parallel mode PRF SUMECBC, 3kf9. We also consider simple twokey variants of these constructions. All the speciﬁcations are given in Fig. 1. Applying Theorem 1 on these constructions, we obtain the following bounds:
Constructions 2KPMAC_Plus 2KLightMAC_Plus PMAC_Plus LightMAC_Plus
Security Bound q ‘=2 þ q ‘ =2 q3 =22n þ q=2n q3 ‘=22n þ q2 ‘2 =22n q3 =22n 3
2n
2 2
2n
Constructions 2KSUMECBC 2Kf9 SUMECBC 3kf9
Security Bound 2q‘2 =2n þ q3 ‘2 =22n q3 ‘4 =22n q‘2 =2n þ q3 =22n q3 ‘4 =22n
Open Problems. Here we list down some possible future research works: (i) One may try to extend this work to analyze the security of the singlekeyed DbHtS, where the hash key would be same as the block cipher key used in the sum function. (ii) Leurent et al [LNS18] have shown attacks on SUMECBC, PMAC_Plus, 3kf9 and LightMAC_Plus with query complexity of Oð23n=4 Þ. Establishing the tightness of the bound is an interesting open problem.
XXVIII
N. Datta et al.
Fig. 1. Speciﬁcation of existing MACs with BBB Security and their twokey variants. Here hjis denotes the sbit binary representation of integer j and ﬁxb function takes an nbit integer and returns the integer with its least signiﬁcant bit set to bit b.
References [BKR00]
Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000) [DDN+17] Datta, N., Dutta, A., Nandi, M., Paul, G., Zhang, L.: Single key variant of pmac_plus. IACR Trans. Symmetric Cryptol. 2017(4), 268–305 (2017) [LNS18] Leurent, G., Nandi, M., Sibleyras, F.: Generic attacks against beyondbirthdaybound macs, vol. 2018, p. 541 (2018) [Nai17] Naito, Y.: Blockcipherbased macs: beyond the birthday bound without message length. Cryptology ePrint Archive, Report 2017/852 (2017) [Yas10] Yasuda, K.: The sum of CBC macs is a secure PRF. CTRSA 2010, 366–381 (2010) [Yas11] Yasuda, K.: A new variant of PMAC: beyond the birthday bound. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 596–609. Springer, Heidelberg (2011) [ZWSW12] Zhang, L., Wu, W., Sui, H., Wang, P.: 3kf9: enhancing 3GPPMAC beyond the birthday bound. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 296–312. Springer, Heidelberg (2012)
Contents
An Observation of Nonrandomness in the Grain Family of Stream Ciphers with Reduced Initialization Round. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deepak Kumar Dalai and Dibyendu Roy
1
TemplateBased Fault Injection Analysis of Block Ciphers . . . . . . . . . . . . . . Ashrujit Ghoshal, Sikhar Patranabis, and Debdeep Mukhopadhyay
21
NEON SIKE: Supersingular Isogeny Key Encapsulation on ARMv7 . . . . . . . Amir Jalali, Reza Azarderakhsh, and Mehran Mozaffari Kermani
37
A Machine Vision Attack Model on Image Based CAPTCHAs Challenge: Large Scale Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ajeet Singh, Vikas Tiwari, and Appala Naidu Tentu Addressing SideChannel Vulnerabilities in the Discrete Ziggurat Sampler . . . Séamus Brannigan, Máire O’Neill, Ayesha Khalid, and Ciara Rafferty Secure Realization of Lightweight Block Cipher: A Case Study Using GIFT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Varsha Satheesh and Dillibabu Shanmugam Exploiting Security Vulnerabilities in Intermittent Computing . . . . . . . . . . . . Archanaa S. Krishnan and Patrick Schaumont EdSIDH: Supersingular Isogeny DiffieHellman Key Exchange on Edwards Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reza Azarderakhsh, Elena Bakos Lang, David Jao, and Brian Koziel Correlation Power Analysis on KASUMI: Attack and Countermeasure . . . . . Devansh Gupta, Somanath Tripathy, and Bodhisatwa Mazumdar On the Performance of Convolutional Neural Networks for SideChannel Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Stjepan Picek, Ioannis Petros Samiotis, Jaehun Kim, Annelie Heuser, Shivam Bhasin, and Axel Legay Differential Fault Attack on SKINNY Block Cipher . . . . . . . . . . . . . . . . . . Navid Vafaei, Nasour Bagheri, Sayandeep Saha, and Debdeep Mukhopadhyay
52 65
85 104
125 142
157
177
XXX
Contents
dMUL: Optimizing and Implementing a Multidimensional Scalar Multiplication Algorithm over Elliptic Curves. . . . . . . . . . . . . . . . . . . . . . . Huseyin Hisil, Aaron Hutchinson, and Koray Karabina
198
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
219
An Observation of Nonrandomness in the Grain Family of Stream Ciphers with Reduced Initialization Round Deepak Kumar Dalai(B) and Dibyendu Roy School of Mathematical Science, National Institute of Science Education and Research (HBNI), Bhubaneswar 752 050, Odisha, India {deepak,dibyendu}@niser.ac.in
Abstract. The key scheduling algorithm (KSA) of the Grain family of stream ciphers expands the uniformly chosen key (K) and initialization vector (IV ) to a larger uniform looking state. The existence of nonrandomness in KSA results a nonrandomness in ﬁnal keystream. In this paper, we observe a nonrandomness in the KSA of Grainv1 and Grain128a stream ciphers of reduced round R. However, we could not exploit the nonrandomness into an attack. It can be claimed that if the KSA generates pseudorandom state, then the probability of generating a valid state T (i.e., in the range set of KSA function) of Grainv1, Grain128a must be 2−δ , where δ is the length of padding bits. In case of Grainv1 and Grain128a, δ = 16, 32 respectively. We show that a new valid state can be constructed by ﬂipping 3 and 19 bits of a given state in Grainv1 and Grain128a respectively with a probability higher than 2−δ . We show that the nonrandomness happens for R ≤ 129 and R ≤ 208 rounds of KSA of Grainv1 and Grain128a respectively. Further, in the case of Grainv1, we also found nonrandomness in some key, IV bits from the experiment.
Keywords: Stream cipher KSA · Nonrandomness
1
· Cryptanalysis · Grainv1 · Grain128a
Introduction
In 2008, eSTREAM [1] ﬁnalized Grainv1 [11] designed by Hell et al. as a candidate for stream ciphers in the hardware category. The cipher is based on an NFSR and an LFSR of length 80 bits each and a nonlinear ﬁlter function. Grainv1 runs in two phases. In the ﬁrst phase, the state of cipher is initialized by a secret key and an initialization vector of length 80 bits and 64 bits respectively. This phase is known as key scheduling phase and the method is known as Key Scheduling Algorithm (KSA). The KSA is followed by PseudoRandom Generation Algorithm (PRGA) to generate the keystream bits. The design speciﬁcation of Grainv1 is described in Sect. 3. c Springer Nature Switzerland AG 2018 A. Chattopadhyay et al. (Eds.): SPACE 2018, LNCS 11348, pp. 1–20, 2018. https://doi.org/10.1007/9783030050726_1
2
D. K. Dalai and D. Roy
In 2006, the design speciﬁcation of Grain128 [10] was introduced by Hell ˚gren et al. proposed a modiﬁed design of Grain128 with et al. Later in 2011, A authentication, which is known as Grain128a [2]. Grain128a is based on an NFSR and an LFSR of length 128 bits each and a nonlinear ﬁlter function. Grain128a also runs in two phases. In the key scheduling phase, the cipher is initialized by one 128bit secret key and 96bit initialization vector. Finally, the cipher generates the output bits for encryption and authentication purpose. The design speciﬁcation of Grain128a is presented in Subsect. 5.1. In last few years, Grain family of stream ciphers received serious attention among the cryptanalysts. In 2009, Aumasson et al. [3] found some non randomness in Grainv1 of 81 round and Grain128 of 215 round. A distinguisher up to 97 and 104 round of Grainv1 was observed by Knellwolf et al. [12] in 2010. Later, in 2014 Banik [5] has improved the result and a proposed conditional differential attack on 105 round of Grainv1. Sarkar [15] has found a distinguisher of Grainv1 at 106 rounds. In 2016, Ma et al. [14] proposed an improved conditional diﬀerential attack on 110 round of Grainv1. In the same year, Watanabe et al. [16] proposed a conditional diﬀerential attack on 114 round of Grainv1 in related key/weak key setup. In 2012, Lehmann and Meier [13] found nonrandomness at the 189th round of Grain128a. Few more cryptanalytic results on this family have been proposed in [4,6–9]. Our Contribution: In this paper, we observe a nonrandomness in the KSA of Grainv1 and Grain128a. We spotted some fact which should not be expected in a pseudorandom bit generator. However, we could not exploit the nonrandomness to propose any kind of attack on Grainv1 and Grain128a. The purpose of KSA in Grain family of stream ciphers is to generate a random looking state of n bits from a secret key of m bits and a known initialization vector of l bits. Further, the pseudorandom keystream bits are generated from the random looking state. Therefore, if the randomness of the generated state gets compromised then it aﬀects the randomness in the keystream. The KSA function is a mapping from the set of strings of (m + l) bits to the set of strings of n bits where n > m + l. We say a state (i.e., a string of n bits) is a valid state if the state is in the range set of KSA function (i.e., the state can be generated from a key and an IV ). An n bit string chosen uniformly in random can be a valid state with probability 2−δ , where δ = n − (m + l). In our work, we can generate a valid state with probability higher than the uniform probability 2−δ from a given valid state S. The KSA in Grainv1 and Grain128a constitutes a process for 160 and 256 rounds respectively. Here, we consider the KSA of reduced rounds R and found the nonrandomness exists till R = 129, 208 for Grainv1 and Grain128a respectively. The results are explained in Sect. 4 and Subsect. 5.2. Organization: The rest of the article is organized as follows. In Sect. 2, the notations and deﬁnitions are listed. In this section, we have also deﬁned the pseudorandom state generator in a general set up of Grain like ciphers. The design speciﬁcation of Grainv1 and inverse of its KSA is described in Sect. 3 and Subsect. 3.2 respectively. The design speciﬁcation of Grain128a is described in Subsect. 5.1. A nonrandomness in the KSA of Grainv1 is presented in Sect. 4.
An Observation of Nonrandomness in the Grain Family of Stream Ciphers
3
A bias between the key of given valid state and the key of the generated valid state is observed in Subsect. 4.1. Nonrandomness in the KSA of Grain128a is described in Sect. 5.2. Finally, the article is concluded in Sect. 6.
2
Preliminary
In this section, we provide notations, general setup and some deﬁnitions, which are followed in the article. 2.1
Notations
The notations used in the paper are listed as following. – Vn : The vector space IFn2 over the two elements ﬁeld IF2 . – K, IV : The secret key and the initialization vector respectively. – K ∗ , IV ∗ : The modiﬁed secret key and modiﬁed initialization vector respectively. – ki , ki∗ , ivi , ivi∗ : The ith bit of the key K, K ∗ and initialization vectors IV, IV ∗ respectively. – l, m, n: The length (in bits) of the initialization vector, the secret key and the state in the cipher respectively, where n > m + l. In the case of Grainv1, l = 64, m = 80, n = 160 and in the case of Grain128a, l = 96, m = 128, n = 256. – δ: The diﬀerence between the length of state and the length of the secret key and initialization vector i.e., δ = n − (m + l) (i.e., the length of padding bits). In the case of Grainv1 and Grain128a, δ = 16, 32 respectively. – F : The function of the KSA, F : Vm × Vl → Vn . – RF : The range set of the function F , which is a subset of Vn . – li , ni : The ith state bit in LFSR and NFSR respectively. In case of Grainv1 and Grain128a, the range of index i is 0 ≤ i ≤ 79 and 0 ≤ i ≤ 127 respectively. – S(li ), S(ni ): The value of state bits li and ni in a state S respectively. – R: The number of state update rounds involved in the KSA. In the case of Grainv1 and Grain128a, the actual value of R is 160 and 256 respectively. For this work, we consider the reduced values of R. – S: A valid state output by the KSA i.e., S ∈ RF . – T : A generated state after ﬂipping few bits in S. – Δ(S, T ): The set of state bits where S and T diﬀer, i.e., Δ(S, T ) = {li : S(li ) = T (li )} ∪ {ni : S(ni ) = T (ni )}. – Si , 0 ≤ i ≤ R: The state after the ith round of state update in the KSA. Here, SR = S. – TR−i , 0 ≤ i ≤ R: The state after the ith round of inverse state update from the state TR = T . – K(SR ), IV (SR ): The secret key and the initialization vector used to generate a valid state SR after R rounds of clocking respectively. That is, K(SR ) = (S0 (n0 ), S0 (n1 ), · · · , S0 (nm−1 )) and IV (SR ) = (S0 (l0 ), S0 (l1 ), · · · , S0 (ll−1 )).
4
2.2
D. K. Dalai and D. Roy
General Setup of Grain Like Ciphers
In this section, we deﬁne a necessary condition for the pseudorandomness in a general set up of a family of stream ciphers. The ciphers follow the key scheduling phase and pseudorandom bit stream generation phase to produce the keystream bits. The idea of key scheduling algorithm (KSA) is to generate a uniformly random looking state from a pair of shorter uniformly chosen key (K) and initialization vector (IV ). Further, the pseudorandom generation algorithm (PRGA) generates the keystream of some length α from the random looking state. In another way, we can say, the cipher transforms a short uniformly random pair K and IV into a longer keystream in twostep processes. That is, the KSA expands the uniformly selected K of length m and IV of length l to a uniformly random looking state of larger length (n > m + l) and the PRGA further, expands the uniformly random looking state of length n to a pseudorandom keystream of length α. If the uniformity is compromised in the output of KSA, the nonrandomness is transmitted to the keystream generated from PRGA. Similarly, if uniformity is compromised in the output of PRGA, the nonrandomness occurs in the keystream. Therefore, a necessary condition for the keystream to be pseudorandom is that the distribution of output state from KSA and output keystream from PRGA to be pseudorandom. Let F : Vm × Vl → Vn be the KSA function which converts a key of length m bits and an initialization vector of length l bits to a state of length n bits. That is, S = F (K, IV ) ∈ Vn be the state generated by the KSA function F with the input key K ∈ Vm and initialization vector IV ∈ Vl . Further, let G : Vn → Vn × V1 be the PRGA function which generates a new state in Vn and a keystream bit from the input of a state. In this paper, we study a nonrandomness behavior of the KSA function F . Let denote DF be the distribution on nbit string generated from F by choosing a uniform m bit key and l bit initialization vector. Now we deﬁne pseudorandom state generator as follows. Definition 1. The function F is a pseudorandom state generator if and only if the distribution DF is pseudorandom. Therefore, we say F is a pseudorandom state generator if no eﬃcient distinguisher can detect whether given a string S ∈ Vn is a valid state (i.e., S ∈ RF ) or chosen uniformly in random from Vn . Now, we deﬁne the pseudorandom state generator in a formal way. Definition 2. Let F : Vm × Vl → Vn be a polynomial time computable function and n > m + l. F is said to be a pseudorandom state generator if, for any probabilistic polynomial time algorithm D, there is a negligible function ngl such that P r[D(F (K, IV )) = 1] − P r[D(S) = 1] ≤ ngl(m + l), where K, IV and S are chosen uniformly in random from Vm , Vl and Vn respectively. In practice, the computation of F −1 can be done very eﬃciently, so one can / RF . However, for eﬃciently perform F −1 (S) to check whether S ∈ RF or S ∈
An Observation of Nonrandomness in the Grain Family of Stream Ciphers
5
any random S ∈ Vn one can ﬁnd whether S ∈ RF or S ∈ / RF without applying F −1 on S with some probability. Let consider δ = n − (m + l). The cardinality of the set RF is 2m+l , with the assumption that F is one to one. If F is a pseudorandom state generator then given a uniformly chosen S from Vn , any eﬃcient distinguisher D can distinguish with probability P r[D(S) = 1] = 2−δ ±ngl(m+l). Therefore, without computing F or F −1 , no adversary can be able to pick a valid state S from Vn (i.e., S ∈ RF ) with probability signiﬁcantly higher than 2−δ . For a stronger security notion, we can consider more freedom to the adversary, like querying the value of F (K, IV ) for some pairs (K, IV ) ∈ Vm × Vl and querying whether S ∗ ∈ RF for some S ∗ ∈ Vn \ {S}. Let denote this indistinguishability experiment using such chosen queries be as “chosen query indistinguishability experiment”. If F is pseudorandom state generator then any polynomial time adversary should not be able to distinguish with signiﬁcant probability in any chosen query indistinguishability experiment. Now denoting the distinguisher as Dc , which can query whether S ∗ ∈ RF for any S ∗ ∈ Vn \ {S}. Now we deﬁne the pseudorandom state generator in stronger notion as following. Definition 3. Let F : Vm × Vl → Vn be a polynomial time computable function and n > m + l. F is a pseudorandom state generator if for any probabilistic polynomial time algorithm Dc , there is a negligible function ngl such that P r[Dc (F (K, IV )) = 1] − P r[Dc (S) = 1] ≤ ngl(m + l), where K, IV and S are chosen uniformly from Vm , Vl and Vn respectively. In the light of this stronger deﬁnition, if F is a pseudorandom state generator then no adversary can distinguish a uniformly chosen string S ∈ Vn from a string in RF even after querying on the value of F −1 on some chosen strings S ∗ ∈ Vn \ {S}.
3
Design Specification of GrainV1 Stream Cipher
The stream cipher Grainv1 [11] is based on one 80bit LFSR, one 80bit NFSR and one nonlinear ﬁlter function of 5 variables. The state bits of LFSR and NFSR are denoted by li , i = 0, 1, · · · , 79 and nj , j = 0, 1, · · · , 79 respectively. The state bits li and ni for 0 ≤ i ≤ 79 are updated in each clock. At the tth clock, t ≥ 0, the value of state bits li , ni , 0 ≤ i ≤ 79 are denoted as lt+i , nt+i respectively. The updates at the tth clock are done as lt+i = l(t−1)+(i+1) and nt+i = n(t−1)+(i+1) for 0 ≤ i ≤ 79. The state bits lt+80 , nt+80 are computed as the relations speciﬁed in Eqs. (1) and (2) respectively. The linear feedback relation of the LFSR is lt+80 = lt+62 + lt+51 + lt+38 + lt+23 + lt+13 + lt , for t ≥ 0.
(1)
6
D. K. Dalai and D. Roy
The nonlinear feedback relation of the NFSR is nt+80 = lt + nt+62 + nt+60 + nt+52 + nt+45 + nt+37 + nt+33 + nt+28 + nt+21 + nt+14 + nt+9 + nt + nt+63 nt+60 + nt+37 nt+33 + nt+15 nt+9 + nt+60 nt+52 nt+45 + nt+33 nt+28 nt+21 + nt+63 nt+45 nt+28 nt+9 + nt+60 nt+52 nt+37 nt+33 + nt+63 nt+60 nt+21 nt+15 + nt+63 nt+60 nt+52 nt+45 nt+37 + nt+33 nt+28 nt+21 nt+15 nt+9 + nt+52 nt+45 nt+37 nt+33 nt+28 nt+21 , for t ≥ 0.
(2)
The nonlinear ﬁlter function is a 5 variable 1resilient Boolean function of nonlinearity 12. The algebraic normal form is given below. h(x) = x1 + x4 + x0 x3 + x2 x3 + x3 x4 + x0 x1 x2 + x0 x2 x3 + x0 x2 x4 + x1 x2 x4 + x2 x3 x4 .
f (x)
g(x)
g(x)
f (x)
LFSR
NFSR
LFSR
NFSR
h(x) h(x)
(a) KSA of Grainv1
(b) PRGA of Grainv1
Fig. 1. Design speciﬁcation of Grainv1
At the tth clock, the variables x0 , x1 , · · · , x4 correspond to the state bits lt+3 , lt+25 , lt+46 , lt+64 , nt+63 respectively. In each clock, the keystream bit zt is computed by masking few state bits from NFSR with the function h and computed as zt = nt+k + h(lt+3 , lt+25 , lt+46 , lt+64 , nt+63 ), (3) k∈A
where A = {1, 2, 4, 10, 31, 43, 56} and t ≥ 0. The graphical representation of Grainv1 is provided in Fig. 1. 3.1
KSA of GrainV1
The cipher is initialized by an 80bit long secret key (K) and a 64bit long initialization vector (IV ). Let the bits of the secret key K and the initialization vector IV be ki , 0 ≤ i ≤ 79 and ivi , 0 ≤ i ≤ 63 respectively. The cipher is
An Observation of Nonrandomness in the Grain Family of Stream Ciphers
7
initialized to convert the partially random state (i.e., a randomly chosen K) to a full pseudorandom state by spreading the unknown uniform secret key over the whole state. The procedure of this conversion is known as key scheduling algorithm (KSA), which is described as following: – The NFSR state is loaded by the secret key K as ni = ki , 0 ≤ i ≤ 79. – The LFSR state is loaded by the initialization vector IV and 16 bit long all 1 string (called padding bits) as li = ivi , 0 ≤ i ≤ 63 and li = 1, 64 ≤ i ≤ 79. Then the cipher is clocked for R rounds without generating any keystream bit as output. In each round, the keystream bit (i.e., the output of the masked ﬁlter function h) is added to the feedback bits of the LFSR and NFSR. The description of KSA is presented in Algorithm 1 and Fig. 1a. In the case of Grainv1, the actual number of round R is 160.
Algorithm 1. KSA of Grainv1
1 2 3 4 5 6 7 8 9
Input : K = (k0 , k1 , · · · , k79 ), IV = (iv0 , iv1 , · · · , iv63 ). Output: State S = (n0 , · · · , n79 , l0 , · · · , l79 ) of Grainv1 after key scheduling process. Assign ni = ki for i = 1, · · · , 79; li = ivi for i = 0, · · · , 63; li = 1 for i = 64, · · · , 79; for R rounds do Compute z = k∈A nk + h(l3 , l25 , l46 , l64 , n63 ), for A = {1, 2, 4, 10, 31, 43, 56}; t1 = z + l62 + l51 + l38 + l23 + l13 + l0 ; t2 = z + n80 where n80 is computed as Equation (2) putting t = 0; ni = ni+1 and li = li+1 for i = 0, 1, · · · , 78; l79 = t1 and n79 = t2 ; end return S = (n0 , n1 , · · · , n79 , l0 , l1 , · · · , l79 );
As deﬁned in Sect. 2.2, the computation of KSA function F consists of both the key loading process and the operations in R rounds of clocking on m = 80 bit key and l = 64bit initialization vector. Here we provide the deﬁnition of valid padding bits of Grainv1, Definition 4. The last 16 bits of the initial state of the LFSR of key scheduling phase of Grainv1 (i.e., (S0 (l64 ), S0 (l65 ), · · · , S0 (l79 ))) is known as padding bits of Grainv1. The padding bits is valid if S0 (l64 ) = S0 (l65 ) = · · · = S0 (l79 ) = 1. 3.2
Inverse of KSA of GrainV1
The KSA function F is invertible. Let SR = (n0 , · · · , n79 , l0 , · · · , l79 ) ∈ V160 be an 160 bit string which needs to be inverted to ﬁnd the corresponding state S0 . Algorithm 2 presents the inverse process of KSA of Grainv1.
8
D. K. Dalai and D. Roy
Algorithm 2. Inverse algorithm of KSA of Grainv1
1 2 3 4 5 6 7 8
Input : SR = (n0 , n1 , · · · , n79 , l0 , l1 , · · · , l79 ). Output: Initial state S0 of KSA i.e., K, IV and the 16 padding bits. for R rounds do t1 = n79 and t2 = l79 ; ni = ni−1 and li = li−1 for i = 1, 2, · · · , 79; Compute z = k∈A nk + h(l3 , l25 , l46 , l64 , n63 ), for A = {1, 2, 4, 10, 31, 43, 56}; l0 = z + t2 + l62 + l51 + l38 + l23 + l13 ; n0 = z + t1 + l0 + B(n1 , · · · , n79 ); end return S0 = (n0 , n1 , · · · , n79 , l0 , l1 , · · · , l79 );
The function B used in Algorithm 2 can be deﬁned from Eq. (2) as B(n1 , · · · , n79 ) = n80 + n0 + l0 . If the padding bits of the output S0 is valid then SR ∈ RF and F −1 (SR ) returns K(SR ) = (S0 (n0 ), · · · , S0 (n79 )) and IV (SR ) = (S0 (l0 ), S0 (l1 ), · · · , S0 (l63 )). A random string S ∈ V160 belongs to RF if Algorithm 2 returns a state S0 with the valid padding bits. We deﬁne a valid state as following. Definition 5. A state S ∈ V160 is said to be a valid state of Grainv1 after KSA (or, simply a valid state), if S ∈ RF i.e., the inverse KSA with input S generates a state with the valid padding bits. As the KSA of Grainv1 is one to one (i.e., it is invertible), RF  = 280+64 = 2 . Therefore, the probability of a uniformly chosen state from V160 is a valid state is 2−16 . That is, P r[S ∈ RF S is chosen uniformly from V160 ] = 2−16 . This observation is presented in Theorem 1. 144
Theorem 1. Any random state S ∈ V160 is a valid state of Grainv1 after KSA with probability 2−16 . Therefore, a question is raised as “can one choose a valid state from Vn with probability greater than 2−16 ?”. We deﬁne the problem in a more formal way as follows. Problem 1. Consider we are having a set Γ ⊂ RF where the size of Γ is as small as possible. Without knowing the computation of F −1 , is it possible to choose a S from V160 such that S belongs to RF \ Γ with probability signiﬁcantly greater than 2−16 ? Considering the number of rounds R ≤ 129 in KSA, we show that it is possible to choose an element from RF with probability signiﬁcantly greater than 2−16 .
An Observation of Nonrandomness in the Grain Family of Stream Ciphers
4
9
A Nonrandomness of KSA of GrainV1
Let consider the number of rounds used in Grainv1 is R. In the actual description of Grainv1, the value of R is 160. In this section, we prove the existence of a nonrandomness in the KSA of Grainv1 where R ≤ 129. Given a valid state S ∈ V160 , we are able to construct another valid state T with a probability higher than 2−16 . Moreover, the distance between the valid states S and T is small. As a result, the initial part of keystream bits generated from both the valid states S and T are very close. Since the KSA function is invertible, one can get two pairs of secret key and initialization vector which generate equal keystream bits with high probability. Therefore, the nonrandomness in KSA is transmitted into the keystream from the nonrandomness in KSA of Grainv1. Our aim is to generate a valid state T ∈ V160 from a given valid state S ∈ V160 for R as large as possible and the distance of S and T is as close as possible. For that purpose, we generate T by ﬂipping few bits in S. For R = 64, the values of S0 (l64 ), S0 (l65 ), · · · , S0 (l79 ) are just shifted to S64 (l0 ), S64 (l1 ), · · · , S64 (l15 ). Therefore, the ﬁrst 16 bits of state SR are 1 (i.e., S64 (l0 ) = S64 (l1 ) = · · · = S64 (l15 ) = 1). Then ﬂipping any other bits, one will always get a valid state as the inverse of KSA generates a state with the valid padding bits. Lemma 1. Let the number of round in KSA is R = 64 and S ∈ V160 is a valid state (i.e., S ∈ RF ). Then the new state T ∈ V160 generated from S by flipping any subset of bits from {l16 , · · · , l79 , n0 , · · · , n79 } is a valid state (i.e., T ∈ RF ) with probability 1. Let consider R > 64 and after performing (R − 64) inverse round operations on a valid state S = SR , we have a new state with S64 with l0 = l1 = · · · = l15 = 1. Note that we do not want to ﬂip the bits in the states of NFSR as the feedback function and masking contains many tap points from NFSR which makes the relation complicated. Therefore, our aim is to generate a state TR by ﬂipping few LFSR bits in the valid state SR such that after performing (R − 64) inverse rounds on TR we have T64 (l0 ) = · · · = T64 (l15 ) = 1 with probability higher than 2−16 . Lemma 2. Let the number of rounds in KSA is R > 64 and SR ∈ V160 is a valid state (i.e., SR ∈ RF ). Let a state TR ∈ V160 is generated from SR by flipping the state bits in Δ(SR , TR ) ⊂ {l0 , l1 , · · · , l79 }. After performing (R − 64) inverse rounds of KSA, if we have T64 (l0 ) = T64 (l1 ) = · · · = T64 (l15 ) = 1, then TR is a valid state (i.e., TR ∈ RF ). Let consider R > 64. Since SR is a valid state, then S64 (l0 ) = S64 (l1 ) = · · · = S64 (l15 ) = 1 happens with probability 1. However, the probability of T64 (l0 ) = T64 (l1 ) = · · · = T64 (l15 ) = 1 is reduced because of the involvement of the ﬂipped bits in the ﬁlter function h and the feedback relation in the inverse rounds in KSA (see Algorithm 2). Therefore, our aim is to choose the state bits Δ(SR , TR ) ⊂ {l0 , l1 , · · · , l79 } such that ﬂipping those state bits, the involvement of ﬂipped bits in ﬁlter function h and the linear feedback relation in Eq. (1)
10
D. K. Dalai and D. Roy
are minimized or canceling each other. Now we will explore few situations to understand it more a clearly. Observation 1. Let Δ(SR , TR ) = {l79 } for R = 65. As l79 is involved in the computation of l0 in the inverse round computation, the probability of T64 (l0 ) = S64 (l0 ) (i.e., T64 (l0 ) = 1) is 0. Same thing happens if the flipping bit is from {l79 , l61 , l50 , l37 , l22 , l12 }. More generally, if the subset Δ(SR , TR ) contains any odd number of state bits from {l79 , l61 , l50 , l37 , l22 , l12 }, then the probability of T64 (l0 ) = 1 is 0. Hence, T can not be a valid state. Observation 2. Let Δ(SR , TR ) = {l61 , l79 } for R = 65. As both l62 and l79 are involved in the computation of l0 in the inverse round computation, the probability of T64 (l0 ) = S64 (l0 ) (i.e., T64 (l0 ) = 1) is 1. More generally, if the subset Δ(SR , TR ) contains any even number of state bits from {l79 , l61 , l50 , l37 , l22 , l12 }, then the probability of T64 (l0 ) = 1 is 1. Hence, T is always a valid state. Observation 3. Consider Δ(SR , TR ) = {l24 } for R = 65. Here, l24 is involved in the computation of l0 as being an input of the filter function h in the inverse round computation. Therefore, P r[T64 (l0 ) = 1] = P r[T64 (l0 ) = S64 (l0 )] is same as p = P r[h(x1 , x2 , x3 , x4 , x5 ) = h(x1 , 1 + x2 , x3 , x4 , x5 )]. The involvement of the flipped bits in the filter function h changes the probability. Hence, T is a valid state with probability p. In more general way, the probability is being changed when a subset of flipped bits are from {l2 , l24 , l45 , l63 }. From Observation 2, it is clear that if an even number of ﬂipped bits are involved in the linear feedback relation then no new ﬂipped bit is generated as they cancel each other. Therefore, to reduce the number of new ﬂipped bit generation, we need to choose the bits such that an even number of ﬂipped bits are very often involved in the inverse rounds. We see that l3 , l13 , l23 , l25 , l38 , l46 , l51 , l62 , l64 , l80 are the LFSR state bits (in increased order of their index) which are involved in the feedback function and the ﬁlter functions during each inverse round of KSA. The diﬀerence between the indices of the pair of states l46 and l62 (i.e., 16) is same as the diﬀerence between the indices of the pair of states l64 and l80 . This equality helps to move the ﬂips at l46 and l64 to l61 and l79 respectively, in 15 inverse rounds. But in between when l46 reaches at l51 after 5 inverse rounds, it faces a tab point in feedback function. To cancel the diﬀerence we consider a ﬂip at l75 . So, at the 5th inverse round, the ﬂips are given at l46 and l75 reaches as l51 and l80 respectively. They cancel each other and the ﬂipped bit l80 goes out. At the 16th inverse round, the ﬂips are given at l46 and l64 reach as ﬂips at l62 and l80 respectively and no extra ﬂip is generated. Hence only one ﬂip at l62 remains as l80 goes out. Table 1 summarizes the execution of 17 inverse rounds of KSA on the state which is ﬂipped at l46 , l64 , l75 . Let denote Δ(Sr , Tr ) = {li : Sr (li ) = Tr (li )} ∪ {ni : Sr (ni ) = Tr (ni )}. At the 18th inverse KSA round, the LFSR state bit l64 is used in the ﬁlter function h as the variable x3 . The function h has a property that P r[h(x0 , x1 , x2 , x3 , x4 ) = h(x0 , x1 , x2 , 1 + x3 , x4 )] = 14 . P r[Δ(SR−18 , TR−18 ) = {l64 }] = 14 and P r[Δ(SR−18 , TR−18 ) =
An Observation of Nonrandomness in the Grain Family of Stream Ciphers
11
Table 1. Movement of ﬂips in the execution of inverse rounds with certainty Round No.(r) Δ(Sr , Tr ) R
{l46 , l64 , l75 }
R−1
{l47 , l65 , l76 }
R−4
{l50 , l68 , l79 }
R−5
{l51 , l69 }
R − 15
{l61 , l79 }
R − 16
{l62 }
R − 17
{l63 }
{l64 , l0 }] = 34 . Hence, two diﬀerent paths are created with diﬀerent probabilities. Now we consider the simpler situation where Δ(SR−18 , TR−18 ) = {l64 }. Note that the other situation too adds some more probability for the happening of Tr be a valid state. Table 2 summarizes the execution of 20 more inverse rounds of KSA from the (R − 17)th inverse round. Table 2. Movement of ﬂips in the execution of inverse rounds with partial probability Round No.(r) Δ(Sr , Tr ) 1 4 1 4 1 4 1 4
R − 18
{l64 } with probability
R − 19
{l65 } with probability
R − 32
{l78 } with probability
R − 33
{l79 } with probability
R − 34
{l0 , b0 } with probability
R − 35
{l0 , l1 , b1 } with probability
R − 36
{l0 , l1 , l2 , b2 } with probability
R − 37
{l1 , l2 , l3 , b3 } with probability {l0 , l1 , l2 , l3 , b3 } with probability
1 4
1 4
1 4 1 8
1 8
In the 37th round, l3 is involved in h as the variable x0 and P r[h(x0 , x1 , · · · , x4 ) = h(1 + x0 , x1 , x2 , x3 , x4 )] = 12 . Hence, P r[Δ(SR−37 , TR−37 ) = {l1 , l2 , l3 , b3 }] = 12 and P r[Δ(SR−37 , TR−37 ) = {l0 , l1 , l2 , l3 , b3 }] = 12 . As a result, two more diﬀerent paths are created with probability 12 . Let consider R = 97 and TR is generated from a valid state SR by ﬂipping the values at l46 , l64 , l75 . Then after executing 33 inverse rounds, the valid state S64 and the state T64 are diﬀerent only at l79 with probability at least 14 . The state values of S64 and T64 at l0 , l1 , · · · , l15 remains same with value 1. Therefore, the chance of TR is being a valid state is at least 14 .
12
D. K. Dalai and D. Roy
However, if we would consider R = 98, then TR is generated from a valid state SR by ﬂipping the values at l46 , l64 , l75 . Then after executing 34 inverse rounds, the valid state S64 and the state T64 are diﬀerent at l0 and b0 with probability at least 14 . As the state values of S64 and T64 at l0 are diﬀerent, the chance of TR is not being a valid state is at least 14 . From these two situations, we claim Theorem 2 and Corollary 1. Theorem 2. Consider R > 64 and a new state TR ∈ V160 is generated from a valid state SR ∈ V160 by flipping the value of the state bits at Δ(SR , TR ) ⊆ {l0 , l1 , · · · , l79 }. If Δ(S64 , T64 ) ∩ {l0 , l1 , · · · , l15 } = ∅ with probability p then the probability of TR is a valid state is p. Corollary 1. A state TR ∈ V160 is generated from a valid state SR ∈ V160 by flipping the value of the state bits at Δ(SR , TR ) = {l46 , l64 , l75 }. 1. If 65 ≤ R ≤ 81 then TR is always a valid state. 2. If 82 ≤ R ≤ 97 then TR is a valid state with probability 41 . 3. For some positive integer t, TR is a valid state with probability 0 where 98 ≤ R ≤ 98 + t. Proof. 1. If 65 ≤ R ≤ 81 then Δ(S64 , T64 ) never contains a state value from l0 , l1 , · · · , l15 (see Table 1). Hence, TR always yields a valid state. 2. If R ≥ 82 it is clear from Table 2 that at the 18th inverse round, Δ(SR−18 , TR−18 ) forks into Δ1 = {l64 } with probability 14 and Δ2 = {l64 , l0 } with probability 34 . In the direction of the second fork, as Δ2 contains l0 for 82 ≤ R ≤ 97, Δ(S64 , T64 ) always contains a state value from l0 , l1 , · · · , l15 . Hence, TR never yields a valid state in the second fork which happens with probability 3 1 4 . However, in the direction of ﬁrst fork (which happens with probability 4 ), Δ(S64 , T64 ) never contains a state value from l0 , l1 , · · · , l15 . Hence, TR always yields a valid state with probability 14 . 3. In the direction of ﬁrst fork, it is clear from (R − 34)th inverse round in Table 2 that Δ(S64 , T64 ) always contains a state value from l0 , l1 , · · · , l15 for some R ≥ 98. Similarly, in the direction of the second fork, it can be checked that Δ(S64 , T64 ) always contains a state value from l0 , l1 , · · · , l15 for some R ≥ 98. Hence, for 98 ≤ R ≤ 98 + t, TR can not be a valid state for some values of t ≥ 0. We performed experiments on random data size of 226 key K ∈ V80 and initialization vector IV ∈ V64 pairs. We generate SR ∈ V160 for each pair of (K, IV ) ∈ V144 and corresponding TR ∈ V160 by ﬂipping the state values at l46 , l64 , l75 . Our experiments for each R, (65 ≤ R ≤ 160) and the probability of TR being a valid state are presented in Table 3. The experiment results support the facts presented in Corollary 1. The experimental results show that we can answer Problem 1 for R ≤ 129. It is possible to construct a valid state from a given valid state with probability diﬀerent than 2−16 . However, it is observed that for R = 124, 125 the bias is signiﬁcant than the uniformity.
An Observation of Nonrandomness in the Grain Family of Stream Ciphers
13
Table 3. Experimental result of probability of TR being a valid state
4.1
Round no. (R) Probability
Round no. (R) Probability
65 ≤ R ≤ 81
=1
82 ≤ R ≤ 97
98 ≤ R ≤ 117
=0
R = 118
≈4.17 × 2−16
R = 119
≈3.13 × 2−16 R = 120
≈2.30 × 2−16
R = 121
−16
≈2.78 × 2
R = 122
≈1.91 × 2−16
R = 123
≈1.26 × 2−16 R = 124
≈4.10 × 2−16
R = 125
−16
R = 126
≈1.94 × 2−16
−16
R = 128
≈1.51 × 2−16
≈3.80 × 2
= 14
R = 127
≈1.98 × 2
R = 129
≈1.16 × 2−16 130 ≤ R ≤ 160 ≈1 × 2−16
Nonrandomness in the Key, IV Bits
From a valid state S = SR (R ≤ 129), we can generate another valid state T = TR with probability greater than 2−16 . Let the key and initialization vector pair corresponding to the valid state S and the generated valid state T be (K, IV ) and (K ∗ , IV ∗ ) respectively. The next natural question raised as, what is the relation between these two key, initialization vector pairs. We observed experimentally that there are signiﬁcant biases in the secret key bits. The Table 5 summarizes the signiﬁcant biases in key bits as pi = P r(ki = ki∗ ), 0 ≤ i ≤ 79 where ki and ki∗ are ith key bits of K and K ∗ respectively. There are also biases in IV bits. We observed that for R = 118, 125, the bias ∗ ˜ from K ∗ as the ith ] = 0, 0.43 respectively. Let construct a key K P r[iv63 = iv63 ∗ ∗ ˜ ˜ bit ki = ki where pi ≥ 0.5 else ki = 1 + ki . Let denote i = pi if pi ≥ 0.5 else ˜ i = 1 − 0.5. Therefore, 79 the original key K will match with the new key K with probability P = i=0 i . A necessary condition for randomness in KSA would 79 be that the keys K and K ∗ are not having any bias i.e., P = i=0 i = 2−80 . From the observation presented inTable 5, it is clear that the keys are related. 79 However, we present the value of i=0 i for rounds R in Table 4. Table 4. Biases in the secret key for diﬀerent rounds R Round (R) Biases P = 118 120 122 124 126 128
17
≈ 2280 15 ≈ 2280 7 ≈ 2280 13 ≈ 2280 10 ≈ 2280 6 ≈ 2280
79
i=0 i
Round (R) Biases P = 119 121 123 125 127 129
17
≈ 2280 10 ≈ 2280 7 ≈ 2280 12 ≈ 2280 8 ≈ 2280 5 ≈ 2280
79
i=0 i
14
D. K. Dalai and D. Roy Table 5. Biases into the secret key bits for diﬀerent rounds R
Round (R) Indices of key bits (i)
Biases pi = P r[ki = ki∗ ]
118
59, 64 ≤ i ≤ 79
0.38, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1
119
51, 57, 65 ≤ i ≤ 79
0.66, 0.67, 0.97, 1, 0, 0.034, 0.034, 0, 0, 0.97, 0.34, 1, 0.034, 0.034, 1, 0, 0.034
120
52, 58, 59, 65 ≤ i ≤ 79
0.59, 0.62, 0.39, 0.25, 0.99, 1, 0.3, 0.009, 0.31, 0, 0, 0.7, 0.31, 1, 0.009, 0.009, 1, 0
121
54, 63 ≤ i ≤ 66, 68 ≤ i ≤ 79
0.41, 0.61, 0.41, 0.6, 0.38, 0.78, 0.38, 0.24, 0.38, 0.29, 0.21, 0.6, 0.2, 1, 0.35, 0.35, 1
122
64, 65, 69, 71, 73, 74, 76 ≤ i ≤ 79
0.6, 0.38, 0.6, 0.28, 0.38, 0.3, 0.16, 1, 0.33, 0.42
123
66, 70, 72, 74, 75, 77 ≤ i ≤ 79
0.38, 0.62, 0.32, 0.36, 0.3, 0.18, 1, 0.37
124
63, 66 ≤ i ≤ 79
0.83, 0.69, 0.84, 0.85, 0.15, 0.15, 0.87, 0.86, 0.11, 0.15, 0.11, 0.8, 0.16, 0.79, 1
125
61, 62, 64 ≤ i ≤ 79
0.43, 0.69, 0.84, 0.6, 0.32, 0.71, 0.85, 0.85, 0.39, 0.46, 0.78, 0.87, 0.11, 0.39, 0.34, 0.84, 0.16, 0.82
126
56, 63, 65 ≤ i ≤ 71, 73 ≤ i ≤ 79
0.6, 0.68, 0.81, 0.43, 0.4, 0.65, 0.8, 0.8, 0.36, 0.7, 0.8, 0.15, 0.37, 0.31, 0.8, 0.18
127
59, 66, 72 ≤ i ≤ 79
0.61, 0.82, 0.25, 0.28, 0.8, 0.8, 0.17, 0.26, 0.2, 0.81
128
67, 73 ≤ i ≤ 79
0.68, 0.33, 0.35, 0.73, 0.71, 0.22, 0.35, 0.3
129
74 ≤ i ≤ 79
0.38, 0.36, 0.67, 0.64, 0.31, 0.41
5
Nonrandomness in KSA of Grain128a Stream Cipher
Grain128a is a longer state version stream cipher in Grain family. Using similar technique as in Grainv1, we too found a nonrandomness in KSA of Grain128a. In this section, we brieﬂy present the result of the nonrandomness in KSA of Grain128a. 5.1
Design Specification of Grain128a Stream Cipher
In 2011, ˚ Agren et al. [2] modiﬁed the Grain128 stream cipher [10] and introduced Grain128a with authentication mode. Grain128a is based on one 128bit NFSR, one 128bit LFSR and a nonlinear ﬁlter function. The state bits of the NFSR is denoted by ni , 0 ≤ i ≤ 127 and LFSR state bits are denoted by li , 0 ≤ i ≤ 127. In each clock, the state bits of LFSR and NFSR are shifted by usual method and feedback bits are computed as in Eqs. (4) and (5) respectively. lt+128 = lt + lt+7 + lt+38 + lt+70 + lt+81 + lt+96 , for t ≥ 0.
(4)
An Observation of Nonrandomness in the Grain Family of Stream Ciphers
15
nt+128 = st + nt + nt+26 + nt+56 + nt+91 + nt+96 + nt+3 nt+67 + nt+11 nt+13 + nt+17 nt+18 + nt+27 nt+59 + nt+40 nt+48 + nt+61 nt+65 + nt+68 nt+84 + nt+88 nt+92 nt+93 nt+95 + nt+22 nt+24 nt+25 + nt+70 nt+78 nt+82 , for t ≥ 0.
(5)
The nonlinear ﬁlter function (h) is a Boolean function involving 9 variables. These 9 variables correspond to 7 state bits of LFSR and 2 state bits of NFSR. The algebraic normal form of the nonlinear ﬁlter function is h(x) = x0 x1 + x2 x3 + x4 x5 + x6 x7 + x0 x4 x8 ,
(6)
where x0 , x1 , · · · , x8 correspond to nt+12 , lt+8 , lt+13 , lt+20 , nt+95 , lt+42 , lt+60 , lt+79 , lt+94 respectively. In each clocking (t), the keystream bit yt is computed by masking 7 state bits of NFSR, one state bit from LFSR with the output of the nonlinear ﬁlter function h as nt+j , (7) yt = h(x) + lt+93 + j∈A
where A = {2, 15, 36, 45, 64, 73, 89}. Grain128a is presented graphically in Fig. 2a,
6
5
24 24
f
g
f
g 6
5
LFSR
NFSR
LFSR
NFSR
2 2
7
7
7
7
h
h
(a) KSA of Grain128a
(b) PRGA of Grain128a
Fig. 2. Design speciﬁcation of Grain128a
In the key scheduling phase, the cipher is initialized by one 128bit secret key (K) and one 96bit initialization vector (IV ). The secret key bits are denoted by ki , 0 ≤ i ≤ 127 and IV bits are denoted by ivi , 0 ≤ i ≤ 95. The state is loaded with key bits, initialization vector bits and padding bits as follows. – The secret key bits are loaded into the NFSR as ni = ki for 0 ≤ i ≤ 127. – IV bits are loaded into the LFSR as li = ivi for 0 ≤ i ≤ 95. – Remaining 32 positions of LFSR are ﬁlled by the padding bits as li = 1 for 96 ≤ i ≤ 126 and l127 = 0.
16
D. K. Dalai and D. Roy
Then the cipher is clocked for R rounds, without producing any output bits, rather in each clocking the output bit (yt ) is added to the feedback bits of the NFSR and LFSR (see Fig. 2b). In case of full round Grain128a the number of rounds R = 256. The KSA of Grain128a is presented in Algorithm 3. Algorithm 3. KSA of Grain128a
1 2 3 4 5 6 7 8 9
Input : K = (k0 , k1 , · · · , k127 ), IV = (iv0 , iv1 , · · · , iv95 ). Output: State S = (n0 , · · · , n127 , l0 , · · · , l127 ) of Grainv1 after key scheduling process. Assign ni = ki for 0 ≤ i ≤ 127; li = ivi for 0 ≤ i ≤ 95; li = 1 for 96 ≤ i ≤ 126, l127 = 0; for R rounds do Compute z = k∈A nk + l93 + h(n12 , l8 , l13 , l20 , n95 , l42 , l60 , l79 , l94 ) for A = {2, 15, 36, 45, 64, 73, 89}; t1 = z + l0 + l7 + l38 + l70 + l81 + l96 ; t2 = z + n128 where n128 is computed as Equation (5) ; ni = ni+1 and li = li+1 for i = 0, 1, · · · , 126; l127 = t1 and n127 = t2 ; end return S = (n0 , n1 , · · · , n127 , l0 , l1 , · · · , l127 );
Definition 6. The last 32 bits of the initial state of the LFSR of key scheduling phase of Grain128a is known as padding bits. The padding bits is valid if first 31 bits are 1 and last bit is 0. The KSA function F of Grain128a is invertible. The inversion algorithm on the input SR = (n0 , n1 , · · · , n127 , l0 , l1 , · · · , l127 ) ∈ V256 to get the initial state S0 is presented in Algorithm 4. The function G used in Algorithm 4 can be deﬁned from Eq. (5). If the output of the Algorithm 4 i.e., the state S0 , contains the valid padding bits then SR ∈ RF and F −1 returns K(SR ) = (S0 (n0 ), S0 (n1 ), · · · , S0 (n127 )) and IV (SR ) = (S0 (l0 ), S0 (l1 ), · · · , S0 (l95 )). Definition 7. A state S after KSA of Grain128a is said to be a valid state if the inverse KSA of Grain128a returns a state S0 with a valid padding on the input S. As RF  = 2128+96 = 2224 , the probability of a uniformly chosen state from V256 is a valid state is 2−32 . i.e., P r[S ∈ RF  S is chosen uniformly from V256 ] = 2−32 . This observation is presented in Theorem 3. Theorem 3. Any random state S ∈ V256 is a valid state of Grain128a after KSA with a probability 2−32 . Therefore, in the following subsection, we will generate a valid state with probability higher than 2−32 to prove the existence of nonrandomness in the KSA of Grain128a.
An Observation of Nonrandomness in the Grain Family of Stream Ciphers
17
Algorithm 4. Inverse KSA of Grain128a
1 2 3 4 5 6 7 8
5.2
Input : SR = (n0 , n1 , · · · , n127 , l0 , l1 , · · · , l127 ). Output: Initial state of KSA of Grain128a. for R clockings do t1 = n127 and t2 = l127 ; ni = ni−1 and li = li−1 for i = 1, 2, · · · , 127; Compute y = l93 + h(n12 , · · · , l94 ) + k∈A nk , A = {2, 15, 36, 45, 64, 73, 89}; l0 = y + t2 + l7 + l38 + l70 + l81 + l96 ; n0 = y + t1 + l0 + G(n1 , · · · , n127 ); end return S0 = (n0 , n1 , · · · , n127 , l0 , l1 , · · · , l127 );
Nonrandomness of KSA of Grain128a
In this section, we prove a nonrandomness in the KSA of Grain128a for a reduced round R ≤ 208, whereas R = 256 in the proposed one. Like the case of Grainv1 in Sect. 4, we could generate a valid state T after ﬂipping some state bits in a given valid state with a probability higher than 2−32 . The goal is to generate a valid state TR from a valid state SR ∈ V256 of Grain128a for R as large as possible. To maintain a small distance between TR and SR , we construct TR by ﬂipping few bits of SR . It can be observed that at R = 96, the values of S0 (l96 ), S0 (l97 ), · · · , S0 (l127 ) are shifted to S96 (l0 ), S96 (l1 ), · · · , S96 (l31 ). Since S96 (l0 ) = S96 (l1 ) = · · · = S96 (l30 ) = 1 and S96 (l31 ) = 0, another valid state TR can be generated by ﬂipping any other bits of S96 . Lemma 3. Let the number of round in KSA is R = 96 and SR ∈ V256 is a valid state (i.e., SR ∈ RF ). Then TR ∈ V256 , which is generated from SR by flipping any subset of bits of {l32 , · · · , l127 , n0 , · · · , n127 }, is a valid state (i.e., TR ∈ RF ) with probability 1. Now we consider the case when R > 96. If we perform (R − 96) inverse KSA rounds from a valid state SR then we will have a state S96 with l0 = l1 = · · · = l30 = 1, l31 = 0. Hence, we should ﬂip few bits of SR to generate TR such that after performing (R − 96) inverse rounds on TR , we will get T96 (l0 ) = T96 (l1 ) = · · · = T96 (l30 ) = 1, T96 (l31 ) = 0 with a probability greater than 2−32 . Lemma 4. Let the number of rounds in KSA be R > 96 and SR ∈ V256 is a valid state (i.e., SR ∈ RF ). A state TR ∈ V256 is generated from SR by flipping the state bits in Δ(SR , TR ) ⊂ {n0 , · · · , n127 , l0 , · · · , l127 }. After performing (R − 96) inverse rounds of KSA, if T96 (l0 ) = T96 (l1 ) = · · · = T96 (l30 ) = 1, T96 (l31 ) = 0, then TR is a valid state (i.e., TR ∈ RF ). Now from the valid state SR for R > 96, we construct another state TR by ﬂipping the bits l35 and l93 . We perform the inverse algorithm of Grain128a Algorithm 4 for R = 141 rounds on the state TR . We observed that the padding bits of T0 is valid with a probability much greater than 2132 . For this
18
D. K. Dalai and D. Roy
experiment, we have randomly chosen 230 random key, IV pairs. If the feedback bits of jth inverse KSA round where j = 45, 44, · · · , 13 on SR and TR remain same, then the last 32 bits of S0 and T0 will be same. Therefore, we need to select the ﬂipping positions in such a way that the number of times the happening of the event SR−t (l0 ) = 1 + TR−t (l0 ) (i.e., the LFSR feedback bit during the tth inverse KSA round) is minimized for 0 ≤ t ≤ 96. Looking into this fact, we have chosen the l35 and l93 as the ﬂipping bits and experimentally observed that one can construct another valid state from a valid state of Grain128a of 141 round with a probability much greater than 2132 . Our next task is to extend this nonrandomness to the higher rounds. Hence, we start the KSA of Grain128a from the round 141 with two states S141 and T141 . These two states are exactly same except at the two positions (i.e., at the 35th and 93rd positions) where they are ﬂipped. That is, Δ(S141 , T141 ) = {l35 , l93 }. Now we run the KSA on the states S141 and T141 . Since l93 is involved in the keystream bit z as a part of the mask bits, the feedback bits of LFSR and NFSR are ﬂipped in the next clock i.e., S142 (l127 ) = 1 + T142 (l127 ) and S142 (n127 ) = 1 + T142 (n127 ). Hence, we have Δ(S142 , T142 ) = {n127 , l34 , l92 , l127 }. Now, we continue the KSA for more rounds and update the set Δ(SR , TR ). We include more ﬂipping positions in Δ(SR , TR ) when the feedback bits directly ﬂips as in the case of R = 142. We continue this process for 67 rounds and we have Δ(S208 , T208 ) as Δ(S208 , T208 ) = {n57 , n89 , n94 , n96 , n104 , n112 , l22 , l57 , l69 , l80 , l85 , l89 , l96 , l101 , l112 , l116 , l117 , l120 , l124 }. Therefore, for a given S208 , we generate T208 with ﬂipping the bits at Δ(S208 , T208 ). Then after 67 inverse KSA rounds, we will get a state T141 where Δ(S141 , T141 ) = {l35 , l93 } with some probability, say q1 . Further, running the 141 inverse KSA rounds from T141 we will have a valid state T0 with some probability q2 which will be lesser than q1 . However, our aim is to check whether the q2 is signiﬁcantly greater than the uniform probability 2132 . To verify this fact, we performed the experiment for 230 random key and IV pairs and we found that P r[T208 is a valid state] ≈ 2930 > 2132 . As a conclusion of this section, we state that from a valid state S208 at the 208th round of KSA of Grain128a one can generate another valid state T208 with probability greater than 2132 by ﬂipping the bits mentioned in Δ(S208 , T208 ).
6
Conclusion
In this paper, we have presented a nonrandomness criterion in KSA of Grain family of stream ciphers. We have shown that it is possible to construct a valid state by ﬂipping few bits of a valid state at Rth round of KSA of Grainv1 and Grain128a with probability signiﬁcantly diﬀerent than the uniform probability 2−16 and 2−32 respectively. We have shown the existence of the nonrandomness up to 129 and 208 KSA round of Grainv1 and Grain128a respectively. Although
An Observation of Nonrandomness in the Grain Family of Stream Ciphers
19
we could not exploit the nonrandomness into an attack, the existence of such nonrandomness should not be expected in any pseudorandom keystream generator. As the states are very close, the initial keystream bits generated from these two states will be same with very high probability. We further, observed the bias among the secret keys of the two valid states in Grainv1. As some lightweight ciphers such as Lizard, Plantlet share a very similar type of design as Grain family of stream ciphers, a similar kind of analysis can possibly be implemented on them.
References 1. eSTREAM: Stream cipher project for Ecrypt (2005) 2. ˚ Agren, M., Hell, M., Johansson, T., Meier, W.: A new version of Grain128 with authentication. In: Symmetric Key Encryption Workshop (2011) 3. Aumasson, J.P., Dinur, I., Henzen, L., Meier, W., Shamir, A.: Eﬃcient FPGA implementations of highdimensional cube testers on the stream cipher Grain128. SHARCS 2009 SpecialPurpose Hardware for Attacking Cryptographic Systems, p. 147 (2009) 4. Banik, S.: Some insights into diﬀerential cryptanalysis of Grain v1. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 34–49. Springer, Cham (2014). https://doi.org/10.1007/9783319083445 3 5. Banik, S.: Conditional diﬀerential cryptanalysis of 105 round Grain v1. Crypt. Commun. 8(1), 113–137 (2016) 6. Banik, S., Maitra, S., Sarkar, S.: A diﬀerential fault attack on the grain family of stream ciphers. In: Prouﬀ, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 122–139. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642330278 8 7. Banik, S., Maitra, S., Sarkar, S.: A diﬀerential fault attack on the grain family under reasonable assumptions. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 191–208. Springer, Heidelberg (2012). https://doi.org/ 10.1007/9783642349317 12 8. Dinur, I., Shamir, A.: Breaking Grain128 with dynamic cube attacks. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 167–187. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642217029 10 9. Fischer, S., Khazaei, S., Meier, W.: Chosen IV statistical analysis for key recovery attacks on stream ciphers. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 236–245. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540681649 16 10. Hell, M., Johansson, T., Maximov, A., Meier, W.: A stream cipher proposal: Grain128. In: IEEE International Symposium on Information Theory (ISIT 2006). Citeseer (2006) 11. Hell, M., Johansson, T., Meier, W.: Grain: a stream cipher for constrained environments. Int. J. Wirel. Mob. Comput. 2(1), 86–93 (2007) 12. Knellwolf, S., Meier, W., NayaPlasencia, M.: Conditional diﬀerential cryptanalysis of NLFSRbased cryptosystems. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 130–145. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642173738 8
20
D. K. Dalai and D. Roy
13. Lehmann, M., Meier, W.: Conditional diﬀerential cryptanalysis of Grain128a. In: Pieprzyk, J., Sadeghi, A.R., Manulis, M. (eds.) CANS 2012. LNCS, vol. 7712, pp. 1–11. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642354045 1 14. Ma, Z., Tian, T., Qi, W.F.: Improved conditional diﬀerential attacks on Grain v1. IET Inf. Secur. 11(1), 46–53 (2016) 15. Sarkar, S.: A new distinguisher on Grain v1 for 106 rounds. In: Jajodia, S., Mazumdar, C. (eds.) ICISS 2015. LNCS, vol. 9478, pp. 334–344. Springer, Cham (2015). https://doi.org/10.1007/9783319269610 20 16. Watanabe, Y., Todo, Y., Morii, M.: New conditional diﬀerential cryptanalysis for NLFSRbased stream ciphers and application to Grain v1. In: 2016 11th Asia Joint Conference on Information Security (AsiaJCIS), pp. 115–123. IEEE (2016)
TemplateBased Fault Injection Analysis of Block Ciphers Ashrujit Ghoshal(B) , Sikhar Patranabis , and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur, Kharagpur, India {ashrujitg,sikhar.patranabis}@iitkgp.ac.in,
[email protected]
Abstract. We present the ﬁrst templatebased fault injection analysis of FPGAbased block cipher implementations. While template attacks have been a popular form of sidechannel analysis in the cryptographic literature, the use of templates in the context of fault attacks has not yet been explored to the best of our knowledge. Our approach involves two phases. The ﬁrst phase is a proﬁling phase where we build templates of the fault behavior of a cryptographic device for diﬀerent secret key segments under diﬀerent fault injection intensities. This is followed by a matching phase where we match the observed fault behavior of an identical but blackbox device with the prebuilt templates to retrieve the secret key. We present a generic treatment of our templatebased fault attack approach for SPN block ciphers, and illustrate the same with case studies on a Xilinx Spartan6 FPGAbased implementation of AES128.
Keywords: Template attacks
1
· Fault injection · Fault intensity
Introduction
The advent of implementationlevel attacks has challenged the security of a number of mathematically robust cryptosystems, including symmetrickey cryptographic primitives such as block ciphers and stream ciphers, as well as publickey encryption schemes. Implementation attacks come in two major ﬂavors sidechannel analysis (SCA) and fault injection analysis (FIA). SCA techniques typically monitor the leakage of a cryptographic implementation from various channels, such as timing/power/EM radiations, and attempt to infer the secretkey from these leakages [14,16]. FIA techniques, on the other hand, actively perturb the correct execution of a cryptographic implementation via voltage/clock glitches [1,2,23], EM pulses [8] or precise laser beams [4,5]. With the growing number of physically accessible embedded devices processing sensitive data in today’s world, implementation level attacks assume signiﬁcance. In particular, a thorough exploration of the best possible attacks on any cryptographic implementation is the need of the hour. c Springer Nature Switzerland AG 2018 A. Chattopadhyay et al. (Eds.): SPACE 2018, LNCS 11348, pp. 21–36, 2018. https://doi.org/10.1007/9783030050726_2
22
1.1
A. Ghoshal et al.
Fault Models for Fault Injection Analysis
Nearly all FIA techniques in the existing literature assume a given fault model (such as random faults [8] and/or stuckatfaults [21]) in a given location of the cipher state. Some of these techniques, such as diﬀerential fault analysis (DFA) [18,20,24] and diﬀerential fault intensity analysis (DFIA) [10,11] are found to be more eﬃcient in the presence of highly localized faults, such as single bit ﬂips, or faults restricted to a given byte of the cipher state. While DFA attacks are possible using multiple byte faults, e.g. diagonal faults [22], the fault pattern impacts the complexity of keyrecovery. In particular, with respect to AES128, faults restricted to a single diagonal allow more eﬃcient keyrecovery as compared to faults spread across multiple diagonals. Similarly, DFIA typically exploits the bias of fault distribution at various fault intensities, under the assumption that the fault is restricted to a single byte/nibble of the cipher state [11]. Other techniques such as fault sensitivity analysis (FSA) [15,17] require the knowledge of the critical fault intensity at which the onset of faulty behavior is observed. This critical value is then correlated with the secretkey dependent cipher state value. Finally, FIA techniques such as safeerror analysis (SEA) [3] and diﬀerential behavioral analysis (DBA) [21] require highly restrictive fault models such as stuckat faults, where a speciﬁc target bit of the cipher state is set to either 0 or 1. In recent literature, microcontrollerbased implementation of cryptographic algorithms have been subjected to instructionskip attacks [7,12], where the adversary uses precise injection techniques to transform the opcode for speciﬁc instructions into that for NOP (nooperation). Similarity Between FIA and SCA. The above discussion clearly reveals that existing FIA techniques are inherently dependent on the ability of an adversary to replicate a specific fault model on an actual target device. Fault precision and fault localization contribute to the eﬃciency of the attack, while the occurrence of random faults outside the target model generate noisy ciphertexts, thereby degrading the attack eﬃciency. Observe that this is conceptually similar to the eﬀect of noise on the eﬃciency of traditional SCA techniques such as simple power analysis (SPA) and diﬀerential power analysis (DPA). In particular, the success rate for these techniques is directly proportional to the signaltonoise ratio (SNR) of an implementation. Our Motivation. In this paper, we aim to devise a generalized FIA strategy that overcomes the dependency of existing techniques on speciﬁc fault models. Rather than analyzing the behavior of the target implementation under a given set of faults, our approach would learn the behavior of the deviceundertest (DUT) under an unrestricted set of fault injection parameters, irrespective of the fault nature. Such an attack strategy would allow a larger exploitable fault space, making it more powerful than all reported FIA techniques. As discussed next, an equivalent of the same approach in the context of SCA is wellstudied in the literature.
TemplateBased Fault Injection Analysis of Block Ciphers
1.2
23
Template Attacks: Maximizing the Power of SCA
Template attacks (TA) were proposed in [6] as the strongest form of SCA in an informationtheoretic setting. Unlike other popular SCA techniques such as DPA, TA does not view the noise inherent to any cryptographic implementation as a hindrance to the success rate of the attack. Rather, it models precisely the noise pattern of the target device, and extracts the maximum possible information from any available leakage sample. This makes TA a threat to implementations otherwise secure based on the assumption that an adversary has access to only a limited number of sidechannel samples. On the ﬂip side, TA assumes that the adversary has full programming capability on a cryptographic device identical to the target blackbox device. 1.3
Our Contribution: Templates for Fault Injection Analysis
The existing literature on TA is limited principally to SCA, exploiting passive leakages from a target cryptographic device for key recovery. In this paper, we aim to extend the scope of TA to active FIA attacks. Figure 1 summarizes our templatebased FIA technique. Our approach is broadly divided into two main phases: – The ﬁrst phase of the attack is a profiling phase, where the adversary is assumed to have programming access to a device identical to the blackbox target device. The adversary uses this phase to characterize the fault behavior of the device under varying fault injection intensities. We refer to such characterizations as the fault template for the device. We choose the statistical distribution of faulty ciphertext values under diﬀerent fault injection intensities as the basis of our characterization. The templates are typically built on smallsegments of the overall secretkey, which makes a divideandconquer key recovery strategy practically achievable. Note that the matching phase does not require the correct ciphertext value corresponding to a given encryption operation. – The second phase of the attack is the matching phase, where the adversary obtains the fault behavior of the target blackbox device (with an embedded nonprogrammable secretkey K) under a set of fault injection intensities, and matches them with the templates obtained in the proﬁling phase to try and recover K. The idea is to use a maximum likelihood estimatorlike distinguisher to identify the key hypothesis for which the template exhibits the maximum similarity with the experimentally obtained fault behavior of the target device.
24
A. Ghoshal et al.
Fig. 1. Templatebased fault injection analysis: an overview
1.4
Comparison with Existing FIA Techniques
In this section, we brieﬂy recall existing FIA techniques, and explain their diﬀerences with our proposed templatebased FIA approach. As already mentioned, our technique has two phases, and assumes that the adversary has programmable access to a device identical to the device under test. At the same time, it allows modeling the behavior of the device independent of speciﬁc fault models, as is done in most stateoftheart FIA techniques. We explicitly enumerate these diﬀerences below. Diﬀerential Fault Analysis (DFA): In DFA [9,13,20,24], the adversary injects a fault under a speciﬁc fault model in target location of the cipher state, and analyzes the fault propagation characteristics using the knowledge of the faultfree and faulty ciphertexts. Our templatebased FIA does not trace the propagation of the fault; rather it simply creates a template of the faulty ciphertext distribution under diﬀerent fault injection intensities. This makes our approach independent of any speciﬁc fault model. Diﬀerential Fault Intensity Analysis (DFIA): DFIA [11,19] exploits the underlying bias of any practically achieved fault distribution on the target device, once again under a chosen fault model. It is similar in principle to DPA in the sense that it chooses the most likely secretkey value based upon a statistical analysis of the faulty intermediate state of the block cipher, derived from the
TemplateBased Fault Injection Analysis of Block Ciphers
25
faulty ciphertext values only. Our templatebased FIA can be viewed as a generalization of DFIA with less stringent fault model requirements. Similar to DFIA, our approach also does not require the correct ciphertext values. However, our approach does not statistically analyze the faulty intermediate state based upon several key hypotheses. Rather, it preconstructs separate templates of the faulty ciphertext distribution for each possible key value, and matches them with the experimentally obtained faulty ciphertext distribution from the blackbox target device. Rather than focusing on speciﬁc fault models, the templates are built for varying fault injection intensities. Fault Sensitivity Analysis (FSA): FSA [15,17] exploits the knowledge of the critical fault intensity under which a device under test starts exhibiting faulty output behavior. The critical intensity is typically datadependent, which allows secretkey recovery. FSA does not use the values of either the correct or the faulty ciphertexts. However, it requires a precise modeling of the onset of faults on the target device. Our methodology, on the other hand, uses the faulty ciphertext values, and is free of such precise critical fault intensity modeling requirements. Safe Error Analysis (SEA): In SEA [3,21], the adversary injects a fault into a precise location of the cipher state, and observes the corresponding eﬀect on the cipher behavior. A popular fault model used in such attacks is the stuckat fault model. The adversary injects a fault to set/reset a bit of the cipher state, and infers from the nature of the output if the corresponding bit was ﬂipped as a result of the fault injection. Quite clearly, this fault model is highly restrictive. Our approach, on the other hand, allows random fault injections under varying fault intensities, which makes easier to reproduce in practice on realworld target devices.
2
TemplateBased FIA: Detailed Approach
In this section, we present the details of our proposed templatebased FIA. Given a target device containing a block cipher implementation, let F be the space of all possible fault intensities under which an adversary can inject a fault on this device. Now, assume that a random fault is injected in a givensegment Sk of the cipher state under a fault intensity Fj ∈ F. Also assume that this state segment has value Pi ∈ P, and subsequently combines with a key segment Ki ∈ K, where P and K are the space of all possible intermediate state values and key segment values respectively, resulting in a faulty ciphertext segment Ci,i ,j,k . The granularity of fault intensity values depends on the injection equipment used  precise injection techniques such as laser pulses are expected to oﬀer higher granularity levels than simpler injection techniques such as clock/voltage glitches. Note that we do not restrict the nature of the faults resulting from such injections to any speciﬁc model, such as single bit/single byte/stuckat faults. With these assumptions in place, we now describe the two phases  the template building phase and the template matching phase  of our approach.
26
2.1
A. Ghoshal et al.
Template Building Phase
In this phase, the adversary has programmable access to a device identical to the device under test. By programmable access, we mean the following: – The adversary can feed a plaintext P and master secretkey K of his choice to the device. – Upon fault injection under a fault intensity Fj ∈ F, the adversary can detect the target location Sk in the cipher state where the fault is induced. – The adversary has the knowledge of the corresponding key segment Ki ∈ K and the intermediate state segment Pi ∈ P. The key segment combines with the faulty state segment to produce the faulty ciphertext segment Ci,i ,j,k .
Algorithm 1. Template Building Phase Require: Programmable target device Require: Target block cipher description Ensure: Fault template T for the target device 1: Fix the set S of fault locations to be covered for successful key recovery depending on the block cipher description 2: Fix the space F of fault injection intensities depending on the device characteristics 3: Fix the number of fault injections N for each fault intensity 4: T ← φ 5: for each fault location Sk ∈ S do 6: for each corresponding intermediate state segment and key segment (Pi , Ki ) ∈ P × K do 7: for each fault injection intensity Fj ∈ F do 8: for each l ∈ [1, N ] do 9: Run an encryption with plaintext segment Pi and the target key segment Ki simultaneously 10: Inject a fault under intensity Fj in the target location Sk l 11: Let Ci,i ,j,k be the faulty ciphertext segment 12: end for 1 N 13: Ti,i ,j,k ← Ci,i ,j,k , · · · , Ci,i ,j,k 14: T ← T ∪ Ti,i ,j,k 15: end for 16: end for 17: end for 18: return T
1 N Let Ci,i ,j,k , · · · , Ci,i ,j,k be the faulty ciphertext outputs upon N independent fault injections in the target location Sk under fault injection intensity Fj , corresponding to the intermediate state segment Piand key segment Ki .
1 N as a fault template We refer to the tuple Ti,i ,j,k = Ci,i ,j,k , · · · , Ci,i ,j,k instance. This template instance is prepared and stored for possible tuples (Ki , Pi , Fj , Sk ) ∈ K × P × F × S, where S is the set of all fault locations in the
TemplateBased Fault Injection Analysis of Block Ciphers
27
cipher state that need to be covered for full keyrecovery. The set of all such template instances constitutes the fault template for the target device. Algorithm 1 summarizes the main steps of the template building phase as described above. Note: The number of fault injections N required per fault intensity during the template building phase may be determined empirically, based upon the desired success rate of key recovery in the subsequent template matching phase. Quite evidently, increasing N improves the success rate of key recovery. 2.2
Template Matching Phase
In this phase, the adversary has blackbox access to the target device. Under the purview of blackbox access, we assume the following: – The adversary can feed a plaintext P of his choice to the device and run the encryption algorithm multiple times on this plaintext. – Upon fault injection under a fault intensity Fj ∈ F, the adversary can deduce the target location Sk in the cipher state where the fault is induced, by . observing the corresponding faulty ciphertext Cj,k – The adversary has no idea about the intermediate state segment Pi where the fault is injected, or the key segment Ki that subsequently combines with the faulty state segment to produce the ciphertext. The adversary again performs N independent fault injections under each fault injection intensity Fj in a target location Sk , and obtains the correspond1 N ing faulty ciphertexts C j,k , · · · , C j,k . All fault injections are performed during encryption operations using the same plaintext P as in the template building phase. These faulty ciphertexts are then given as input to a distinguisher D. The distinguisher ranks the keyhypotheses K1 , · · · , Kn ∈ K, where the rank of Ki is estimated based upon the closeness of the experimentally obtained ciphertext distribution with the template instance Ti,i ,j,k , for all possible intermediate state segments Pi . The closeness is estimated using a statistical measure M. The distinguisher ﬁnally outputs the key hypothesis Ki that is ranked consistently highly across all ranklists corresponding to diﬀerent fault injection intensities. Algorithm 2 summarizes our proposed template matching phase. 2.3
The Statistical Measure M
An important aspect of the template matching phase is choosing the statistical measure M to measure the closeness of the experimentally observed faulty ciphertext segment distribution, with that corresponding to each template instance. We propose using a correlationbased matching approach for this purpose. The ﬁrst step in this approach is to build a frequencydistribution table of each possible ciphertext segment value in each of the two distributions. Let the possible ciphertext segment values be in the range [0, 2x−1 ] where x is the number of bits in the ciphertext segment(for example, [0, 255] for a byte, or [0, 15] in case of a nibble). Also, let f (y) and f (y) denote the frequency with which a given
28
A. Ghoshal et al.
Algorithm 2. Template Matching Phase Require: Fault template T corresponding to plaintext P Ensure: The secretkey 1: for each fault location Sk ∈ S do 2: for each fault injection intensity Fj ∈ F do 3: for each l ∈ [1, N ] do 4: Inject a fault under intensity Fj in location Sk l 5: Let C j,k be the faulty ciphertext segment 6: end for 1 N 7: Ej,k ← C j,k , · · · , C j,k 8: end for 9: end for 10: for each fault location Sk ∈ S do 11: for each fault injection intensity Fj ∈ F do 12: for each possible key hypothesis Ki ∈ K and intermediate state segment Pi ∈ P do 13: ρi,i ,j,k ← M (Ej,k , Ti,i ,j,k ) 14: end for 15: end for 16: Store the pair (Ki , Pi ) pair such that Fj ∈F ρi,i j,k is maximum for the given fault location Sk . 17: end for 18: return the stored key hypothesis corresponding to each unique key segment location.
ciphertext segment value y ∈ [0, 2x−1 ] occurs in the template and the experimentally obtained distribution, respectively. Since there are exactly N sample points in each distribution, we have y∈[0,2x−1 ] f (y) = y∈[0,2x−1 ] f (y) = N . The next step is to compute the Pearson’s correlation coeﬃcient between the two distributions as: f (y) − 2Nx · f (y) − 2Nx ρ=
y∈[0,2x−1 ]
y∈[0,2x−1 ]
f (y) −
N 2 2x
y∈[0,2x−1 ]
f (y) −
N 2 2x
The Pearson’s correlation coeﬃcient is used as the measure M . The choice of statistic is based on the rationale that, for the correct key segment hypothesis, the template would have a similar frequency distribution of ciphertext segment values as the experimentally obtained set of faulty ciphertexts, while for a wrong key segment hypothesis, the distribution of ciphertext segment values in the template and the experimentally obtained ciphertexts would be uncorrelated. An advantage of the aforementioned statistical approach is that it can be extended to relaxed fault models such as multibyte faults, that are typically not exploited in traditional FIA techniques. In general, if a given fault injection aﬀects multiple locations in the block cipher state, the correlation analysis is
TemplateBased Fault Injection Analysis of Block Ciphers
29
simply repeated separately for each fault location. This is similar to the divideandconquer approach used in SCAbased keyrecovery techniques.
3
Case Study: TemplateBased FIA on AES128
In this section, we present a concrete case study of the proposed templatebased FIA strategy on AES128. As is wellknown, AES has a plaintext and key size of 128 bits each, and a total of 10 rounds. Each round except the last one comprises of a nonlinear SBox layer (16 SBoxes in parallel), a linear bytewise ShiftRow operation, and a linear MixColumn operation, followed by XORing with the round key. The last round does not have a MixColumn operation. This in turn implies that if a fault was injected in one or more bytes of the cipher state after the 9th round MixColumn operation, the faulty state byte (or bytes) combines with only a speciﬁc byte (or bytes) of the 10th round key. For example, if a fault was injected in the ﬁrst byte of the cipher state, the faulty byte would pass through the SBox and ShiftRow operation, and combine with the ﬁrst byte of the 10th round key to produce the ﬁrst byte of the faulty ciphertext. The exact relation between the fault injection location and the corresponding key segment depends solely on the ShiftRow operation, and is hence deterministic. This matches precisely the assumptions made in our attack description in the previous section. Consequently, this case study assumes that all faults are injected in the cipher state between the 9th round MixColumn operation and the 10th round SBox operations. The aim of the fault attack is to recover bytewise the whole 10th round key of AES128, which in turn deterministically reveals the entire secretkey. We note that fault injection in an earlier round will lead to extremely large templates, making the attack impractical. 3.1
The Fault Injection Setup
The fault injection setup (described in Fig. 2) uses a Spartan 6 FPGA mounted on a SakuraG evaluation board, a PC and an external arbitrary function generator (Tektronix AFG3252). The FPGA has a Device Under Test (DUT) block, which is an implementation of the block cipher AES128. Faults are injected using clock glitches. The device operates normally under the external clock signal clkext . The glitch signal, referred to as clkfast , is derived from the clkext via a Xilinx Digital Clock Manager (DCM) module. The fault injection intensity in our experiments is essentially the glitch frequency, and is varied using a combination of the DCM conﬁguration, and the external function generator settings. In the template building phase, the intermediate cipher state Pi and the intermediate round key Ki are monitored using a ChipScope Pro analyzer, while in the template matching phase, the DUT is a black box with no input handles or internal monitoring capabilities. Table 1 summarizes the glitch frequency ranges at which these fault models were observed on the target device.
30
A. Ghoshal et al.
(a) Template Building Phase Glitch Frequency (Fault Intensity)
SPARTAN 6 Arbitrary Function Generator
clkext
Xilinx DCM
clkglitch
Tektronix AFG3252
Fault Timing Plaintext
Xilinx SDK
JTAG
Device Under Test (DUT) BlackBox Implementation of AES128
Faulty Ciphertext Distribution
(b) Template Matching Phase
Fig. 2. Experimental setup
TemplateBased Fault Injection Analysis of Block Ciphers
31
Table 1. Glitch frequencies for diﬀerent fault models Glitch frequency (MHz) Faulty bytes Bit ﬂips per byte
3.2
125.3–125.5
1
1
125.6–125.7
1
2
125.8–126.0
1
3
126.1–126.2
2–3
1–3
>126.2
>3
>5
Templates for Single Byte Faults
In this section, we present examples of fault templates obtained from the device under test, for glitch frequencies that result in single byte fault injections in the AES128 module. Since only a single byte is aﬀected between the 9th round MixColumn operation and the 10th round SBox operations, we are interested in the distribution of the corresponding faulty byte in the ciphertext. Figure 3 presents fault templates containing ciphertext byte distributions for three categories of faults  single bit faults, twobit faults, and threebit faults. The templates cor
(a) Single bit faults: 125.3125.5(b) Twobit faults: 125.5125.7 MHz MHz
(c) Threebit faults: 125.7126.0 MHz
Fig. 3. Templates for single byte faults: distribution of faulty ciphertext byte for different fault injection intensities
32
A. Ghoshal et al.
respond to the same pair of intermediate state byte and last round key byte for an AES128 encryption. Quite evidently, the ciphertext distribution for each template reﬂects the granularity of the corresponding fault model. In particular, for a single bit fault, most of the faulty ciphertext bytes assume one of 8 possible values, while for threebit faults, the ciphertext bytes assume more than 50 different values across all fault injections. In all cases, however, the distribution of ciphertext values is nonuniform, which provides good scope for characterizing the fault behavior of the device in the template building phase. 3.3
Templates for Multibyte Faults
In this section, we present examples of fault templates constructed for glitch frequencies that result in multibyte fault injections. Figure 4 shows the distribution of diﬀerent bytes injected with diﬀerent faults. It is interesting to observe that at the onset of multibyte faults, the distribution of faulty ciphertext bytes is not uniformly random; indeed, it is possible to characterize the fault behavior of the device in terms of templates under such fault models. Given the absence of MixColumn operation in the last round of AES, each faulty intermediate state byte combines independently with a random last round key byte. This allows a divideandconquer template matching approach, where the statistical analysis may be applied to each faulty ciphertext byte independently. This is a particularly useful mode of attack, since it can be launched even without precise fault injection techniques that allow targeting a single byte of the cipher state.
(a) 1bit, 2bit fault in 2 bytes: (b) 1bit, 2bit, 3bit fault across 3 126.1 MHz bytes: 126.2 MHz
Fig. 4. Templates for multibyte faults: distribution of multiple faulty ciphertext byte values
3.4
Variation with Key Byte Values
The success of our template matching procedure with respect to AES128 relies on the hypothesis that for diﬀerent key byte values, the ciphertext distribution corresponding to the same fault location is diﬀerent. Otherwise, the key recovery would be ambiguous. We validated this hypothesis by examining the
TemplateBased Fault Injection Analysis of Block Ciphers
33
ciphertext distribution upon injecting a single bit fault in the ﬁrst byte of the cipher state, corresponding to diﬀerent key byte values. We illustrate this with a small example in Fig. 5. Figures 5a, b, c and d represent the frequency distributions for faulty ciphertext byte corresponding to the same intermediate byte value of 0x00, and key byte values 0x00, 0x01, 0x02 and 0x03, respectively. Quite evidently, the three frequency distributions are unique and mutually nonoverlapping. The same trend is observed across all 256 possible key byte values; exhaustive results for the same could not be provided due to space constraints.
(a) Target Key Byte = 0x00
(b) Target Key Byte = 0x01
(c) Target Key Byte = 0x02
(d) Target Key Byte = 0x03
Fig. 5. Frequency distributions for faulty ciphertext byte: same intermediate state byte but diﬀerent key byte values
3.5
Template Matching for KeyRecovery
In this section, we present results for recovering a single keybyte for AES128 under various fault granularities. As demonstrated in Fig. 6, the correlation for the correct key hypothesis exceeds the average correlation over all wrong key hypotheses, across the three fault models  single bit faults, twobit faults and threebit faults. As is expected, precise singlebits faults within a given byte enable distinguishing the correct key hypothesis using very few number of fault injections (50–100); for less granular faults such as threebit faults, more number of fault injections (200–500) are necessary. Finally, the same results also hold for multibyte fault models, where each aﬀected byte encounters a certain number of bitﬂips. Since the keyrecovery is performed bytewise, the adversary can use the same fault instances to recover multiple key bytes in parallel.
34
A. Ghoshal et al. Correct Key Wrong Key
Correct Key Wrong Key
0.6 Correlation Value
Correlation Value
0.7
0.6
0.5
0.4
0.5
0.4
0.3 0
500
1,000
1,500
2,000
0
Number of Faulty Injections
(a) Single Bit Faults
1,000
1,500
2,000
(b) TwoBit Faults Correct Key Wrong Key
0.5 Correlation Value
500
Number of Faulty Injections
0.45
0.4
0.35
0.3 0
500
1,000
1,500
2,000
Number of Faulty Injections
(c) ThreeBit Faults
Fig. 6. Correlation between template and observed ciphertext distribution: correct key hypothesis v/s wrong key hypothesis
4
Conclusion
We presented the ﬁrst template based fault injection analysis of block ciphers. We presented a generic algorithm comprising of a template building and a template matching phase, that can be easily instantiated for any target block cipher. The templates are built on pairs of internal state segment and key segment values at diﬀerent fault intensities, while the number of fault instances per template depends on the statistical methodology used in the matching phase. In this paper, we advocated the use of the Pearson correlation coeﬃcient in the matching phase; exploring alternative techniques in this regard is an interesting future work. In order to substantiate the eﬀectiveness of our methodology, we presented a casestudy targeting a hardware implementation of AES128 on a Spartan6 FPGA. Interestingly, our attack allowed exploiting even lowgranularity faults such as multibyte faults, that do not require high precision fault injection equipment. It may be emphasized that the attack is devoid of the exact knowledge of the underlying fault model. Such fault models also allowed parallel recovery of multiple keybytes, thus providing a tradeoﬀ between the number of fault injections, and the number of recovered keybytes. An interesting extension of this work would be apply templatebased analysis against implementations with fault attack countermeasures such as spatial/temporal/information redundancy.
TemplateBased Fault Injection Analysis of Block Ciphers
35
Acknowledgements. We would like to thank the anonymous reviewers for providing constructive and valuable comments. Debdeep would also like to thank his DST Swarnajayanti fellowship (2015–16) for partial support. He would also like to thank DRDO, India for funding the project, “Secure Resource  constrained communication Framework for Tactical Networks using Physically Unclonable Functions (SeRFPUF)” for partially supporting the research. He would also like to thank Information Security Education Awareness (ISEA), DIT, India for encouraging research in the area of computer security. Sikhar would like to thank Qualcomm India Innovation Fellowship 2017–18.
References 1. Agoyan, M., Dutertre, J.M., Naccache, D., Robisson, B., Tria, A.: When clocks fail: on critical paths and clock faults. In: Gollmann, D., Lanet, J.L., IguchiCartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 182–193. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642125102 13 2. Barenghi, A., Bertoni, G.M., Breveglieri, L., Pelosi, G.: A fault induction technique based on voltage underfeeding with application to attacks against AES and RSA. J. Syst. Softw. 86(7), 1864–1878 (2013) 3. Bl¨ omer, J., Seifert, J.P.: Fault based cryptanalysis of the advanced encryption standard (AES). In: Wright, R.N. (ed.) FC 2003. LNCS, vol. 2742, pp. 162–181. Springer, Heidelberg (2003). https://doi.org/10.1007/9783540451266 12 4. Canivet, G., Cl´edi`ere, J., Ferron, J.B., Valette, F., Renaudin, M., Leveugle, R.: Detailed analyses of single laser shot eﬀects in the conﬁguration of a virtexii FPGA. In: 14th IEEE International OnLine Testing Symposium, IOLTS 2008, pp. 289–294. IEEE (2008) 5. Canivet, G., Maistri, P., Leveugle, R., Cl´edi`ere, J., Valette, F., Renaudin, M.: Glitch and laser fault attacks onto a secure AES implementation on a SRAMbased FPGA. J. Cryptol. 24(2), 247–268 (2011) 6. Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S., Ko¸c, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003). https://doi.org/10.1007/3540364005 3 7. Choukri, H., Tunstall, M.: Round reduction using faults. FDTC 5, 13–24 (2005) 8. Dehbaoui, A., Dutertre, J.M., Robisson, B., Tria, A.: Electromagnetic transient faults injection on a hardware and a software implementations of AES. In: 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 7–15. IEEE (2012) 9. Dusart, P., Letourneux, G., Vivolo, O.: Diﬀerential fault analysis on A.E.S. In: Zhou, J., Yung, M., Han, Y. (eds.) ACNS 2003. LNCS, vol. 2846, pp. 293–306. Springer, Heidelberg (2003). https://doi.org/10.1007/9783540452034 23 10. Fuhr, T., Jaulmes, E., Lomn´e, V., Thillard, A.: Fault attacks on AES with faulty ciphertexts only. In: 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 108–118. IEEE (2013) 11. Ghalaty, N.F., Yuce, B., Taha, M., Schaumont, P.: Diﬀerential fault intensity analysis. In: 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 49–58. IEEE (2014) 12. Heydemann, K., Moro, N., Encrenaz, E., Robisson, B.: Formal veriﬁcation of a software countermeasure against instruction skip attacks. In: PROOFS 2013 (2013)
36
A. Ghoshal et al.
13. Kim, C.H.: Diﬀerential fault analysis against AES192 and AES256 with minimal faults. In: 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 3–9. IEEE (2010) 14. Kocher, P., Jaﬀe, J., Jun, B.: Diﬀerential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3540484051 25 15. Li, Y., Sakiyama, K., Gomisawa, S., Fukunaga, T., Takahashi, J., Ohta, K.: Fault sensitivity analysis. In: Mangard, S., Standaert, F.X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 320–334. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642150319 22 16. Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards, vol. 31. Springer, Boston (2007). https://doi.org/10.1007/9780387381626 17. Mischke, O., Moradi, A., G¨ uneysu, T.: Fault sensitivity analysis meets zerovalue attack. In: 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2014, Busan, South Korea, 23 September 2014, pp. 59–67 (2014). https:// doi.org/10.1109/FDTC.2014.16 18. Mukhopadhyay, D.: An improved fault based attack of the advanced encryption standard. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 421– 434. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642023842 26 19. Patranabis, S., Chakraborty, A., Nguyen, P.H., Mukhopadhyay, D.: A biased fault attack on the time redundancy countermeasure for AES. In: Mangard, S., Poschmann, A.Y. (eds.) COSADE 2014. LNCS, vol. 9064, pp. 189–203. Springer, Cham (2015). https://doi.org/10.1007/9783319214764 13 20. Piret, G., Quisquater, J.J.: A diﬀerential fault attack technique against SPN structures, with application to the AES and Khazad. In: Walter, C.D., Ko¸c, C ¸ .K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 77–88. Springer, Heidelberg (2003). https://doi.org/10.1007/9783540452386 7 21. Robisson, B., Manet, P.: Diﬀerential behavioral analysis. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 413–426. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540747352 28 22. Saha, D., Mukhopadhyay, D., Chowdhury, D.R.: A diagonal fault attack on the advanced encryption standard. IACR Cryptology ePrint Archive 2009/581 (2009) 23. Selmane, N., Guilley, S., Danger, J.L.: Practical setup time violation attacks on AES. In: Seventh European Dependable Computing Conference, EDCC 2008, pp. 91–96. IEEE (2008) 24. Tunstall, M., Mukhopadhyay, D., Ali, S.: Diﬀerential fault analysis of the advanced encryption standard using a single fault. In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 224–233. Springer, Heidelberg (2011). https://doi.org/ 10.1007/9783642210402 15
NEON SIKE: Supersingular Isogeny Key Encapsulation on ARMv7 Amir Jalali1(B) , Reza Azarderakhsh1 , and Mehran Mozaﬀari Kermani2 1
2
Department of Computer and Electrical Engineering and Computer Science, Florida Atlantic University, Boca Raton, FL, USA {ajalali2016,razarderakhsh}@fau.edu Department of Computer Science and Engineering, University of South Florida, Tampa, FL, USA
[email protected]
Abstract. We present a highlyoptimized implementation of Supersingular Isogeny Key Encapsulation (SIKE) mechanism on ARMv7 family of processors. We exploit the stateoftheart implementation techniques and processor capabilities to eﬃciently develop postquantum key encapsulation scheme on 32bit ARMv7 CortexA processors. We benchmark our results on two popular ARMv7powered cores. Our benchmark results show signiﬁcant performance improvement of the key encapsulation mechanism in comparison with the portable implementation. In particular, we achieve almost 7.5 times performance improvement of the entire protocol over the SIKE 503bit prime ﬁeld on a CortexA8 core. Keywords: ARM assembly · Embedded device Postquantum cryptography Supersingular isogenybased cryptosystem
1
· Key encapsulation
Introduction
The ﬁrst postquantum cryptography (PQC) standardization workshop by National Institute of Standards and Technology (NIST) started a process to evaluate and standardize the practical and secure postquantum cryptography candidates for the quantum era. Considering the rapid growth in the design and development of practical quantum computers, there is a critical mission to design and develop postquantum cryptography primitives, the cryptography schemes which are assumed to be resistant against quantum adversaries. The standardization process takes into account diﬀerent aspects of the candidates such as the security proofs as well as their performance benchmark on a variety of platforms. Therefore, it is necessary to evaluate and possibly improve the eﬃciency of the approved proposals1 on diﬀerent processors. 1
Available at: https://csrc.nist.gov/Projects/PostQuantumCryptography/Round1Submissions (accessed in June 2018).
c Springer Nature Switzerland AG 2018 A. Chattopadhyay et al. (Eds.): SPACE 2018, LNCS 11348, pp. 37–51, 2018. https://doi.org/10.1007/9783030050726_3
38
A. Jalali et al.
Diﬀerent PQC candidates are constructed on hard mathematical problems which are assumed to be impossible to solve even for largescale quantum computers. We can categorize these problems into ﬁve main categories: codebased cryptography, latticebased cryptography, hashbased cryptography, multivariate cryprography, and supersingular isogenybased cryptography, see, for instance [5,19,25,26]. In this work, we focus on the eﬃcient implementation of the supersingular isogeny key encapsulation (SIKE) mechanism on ARMv7 family of processors. Although the new generation of ARM processors, i.e., ARMv8 is designed to take advantage of 64bit wide general registers and provide fast performance benchmark, the 32bit ARMv7 processors are still used inside many embedded devices. In particular, many IoT devices are designed and manufactured based on ARMv7 processors which require lowpower consumption and eﬃciency. Therefore, further optimization of PQC on embedded devices is essential. Moreover, NIST calls for the eﬃcient implementation of PQC candidates on diﬀerent platforms to be able to evaluate the eﬃciency and performance of PQC candidates accordingly. In particular, the public announcement by NIST regarding more platformspeciﬁc optimizations2 is the main motivation behind this work. Furthermore, supersingular isogenybased cryptography is assumed to be one of the promising candidates in quantum era because of its small keysize and the possibility of designing diﬀerent schemes such as digital signatures [16, 33], identiﬁcation protocols [16], and multiparty noninteractive keyexchange [7] with reasonable performance and parameter size. Since the isogenybased cryptography includes a large number of operations to compute the largedegree isogeny maps, the constructed protocols on this primitive still suﬀer from an extensive number of curve arithmetic compared to other PQC primitives. To address this, optimized implementations of the underlying DiﬃeHellman keyexchange protocol have been presented both on hardware [23] and software [13,14,18,24], taking advantage of stateoftheart engineering techniques to reduce the overall timing of the protocol. Moreover, new optimization techniques for ﬁeld arithmetic implementation of SIDHfriendly primes have been recently proposed by Bos et al. [8,9] and Karmakar et al. [22]. However, these works are based on the parameters which are not in compliance with the SIKE reference proposal. The SIKE reference implementation provides optimized implementations of this protocol on both Intel and ARMv8 processors [19]; however, the optimized implementation of this mechanism on ARMv7 cores is still unsettled. Early attempt by Azarderakhsh et al. [4] and later by Koziel et al. [24] is focused on the implementation of the supersingular isogeny DiﬃeHellman (SIDH) keyexchange on ARMv7 processors which is based on aﬃne coordinates. The proposed implementations suﬀered from the extensive number of ﬁeld inversions and they are not assumed to be resistant against simple power analysis attacks due to the lack of constanttime implementation. 2
Available at: https://groups.google.com/a/list.nist.gov/forum/#!topic/pqcforum/ nteDiyV66U8 (accessed in June 2018).
NEON SIKE: Supersingular Isogeny Key Encapsulation on ARMv7
39
In this work, we address all these shortcomings. We design constanttime SIKE protocol using ARMv7 NEON handcrafted assembly eﬃciently and benchmark our libraries on the two most popular ARMv7 cores, i.e., CortexA8 and CortexA15. Our optimized implementation signiﬁcantly outperforms the portable implementation of SIKE and make it practical for use inside ARMv7powered devices with high eﬃciency. We outline our contributions in the following: – We implement optimized and compact ﬁeld arithmetic libraries using ARMv7 NEON assembly, taking advantage of multiplication and reduction algorithms which are most suitable for our target platforms and ﬁnite ﬁeld size. The proposed libraries are integrated inside SIKE software and improve the performance and powerconsumption of this protocol on the target platforms. – We analyze the use of diﬀerent implementations of Montgomery reduction algorithm on ARMv7 NEON associated with the SIKEfriendly primes. The previous optimized implementations on ARMv7 mostly used generic approaches which is not optimal. Our proposed method, on the other hand, is designed and optimized for the SIKEfriendly primes, taking advantage of their special forms. – The proposed library signiﬁcantly improves the SIKE performance on ARMv7A processors. On powereﬃcient cores such as CortexA8, the portable version benchmark results are extremely slow and almost impractical to use in the real settings. Our optimizations decrease the overall process time remarkably and make SIKE as one of the possible candidates for PQC on IoT devices. Organization. In Sect. 2, we brieﬂy recall the supersingular isogeny key encapsulation protocol from [19], and [20]. In Sects. 3 and 4, we discuss our implementation parameters and the target platform capabilities. We also propose our highlyoptimized method to eﬃciently implement the ﬁnite ﬁeld arithmetic on ARMv7A processors. In Sect. 5, we show the SIKE performance benchmark on our target processors and analyze the performance improvement over the portable version. We conclude the paper in Sect. 6.
2
Background
This section includes a presentation of SIKE mechanism in a nutshell. The main protocol is designed on top of the SIDH protocol which was proposed by Jao and De Feo [20] and further presented more eﬀciently by Costello et al. [13] using projective coordinates and compact arithmetic algorithms. To simply understand the whole key encapsulation mechanism, we explain the combination of prior works including all the protocol optimizations which are designed inside the SIKE protocol in this section.
40
2.1
A. Jalali et al.
Isogenies of Supersingular Elliptic Curves
Let p be a prime of the form p = eAA eBB − 1, and let E be a supersingular elliptic curve deﬁned over a ﬁeld of characteristic p. E can be also deﬁned over Fp2 up to its isomorphism. An isogeny φ : E → E is a rational map from E to E which translates the identity into the identity that is deﬁned by its degree and kernel. The degree of an isogeny is its degree as morphism. An isogeny is an isogeny with degree . A subgroup of points G on a supersingular elliptic curve which contains + 1 cyclic subgroups of order is the torsion subgroup E[]. Each element of this group is associated to an isogeny of degree . The small degree isogeny can be computed using V´elu’s formula [32] which is the main property of computations in the supersingular isogeny cryptography. The isogeny map is denoted as φ : E → E /G. Since V´elu’s formula can only compute the isogeny of small degrees, in order to compute large degree isogenies, we need to deﬁne a set of optimal walks inside an isogeny graph. These walks contain point multiplication and small isogeny evaluation. Jao and De Feo [20] introduced this optimal strategy of computing largedegree isogeny by representing the isogenous points inside a full binary tree and retrieving the optimal computations using dynamic algorithms. This strategy is still considered as the most eﬃcient way of computing large degree isogeny and it is adopted inside all the eﬃcient implementations of isogenybased protocols to date, as well as PQC SIKE proposal [19] reference implementation. One of the main properties of supersingular elliptic curves is their jinvariant. This value is the same for the curves of a isogeny class and therefore it is used inside the keyexchange protocol as the computed shared key between two parties [20]. Two parties compute two isomorphic curves of the same class, and the shared secret is computed as the jinvariant value of the resulting isomorphic curves. Theoretically, the supersingular isogenybased cryptography can be constructed over supersingular curves with the property #E(Fp2 ) = (p + 1)2 . However, Costello et al. [13] showed that the use of Montgomery curves and Montgomery arithmetic can speed up the entire keyexchange procedure notably. Following by their work, in the SIKE proposal, the starting curve E0 /Fp2 : y 2 = x3 + x is an instance of Montgomery curves that has implementation properties because of its special form. Moreover, all the curve arithmetic are computed using Montgomery group and ﬁeld operations, taking advantage of their fast and compact algorithm while the computed isomorphic curves are all still in the Montgomery form. This leads to x−coordinate only eﬃcient formulae for group operations such as computing isogeny, ladder algorithm, point addition and multiplication as well as ﬁeld operations such as Montgomery reduction. Another beneﬁt of Montgomery curves in the context of isogenybased cryptography is that to ﬁnd the jinvariant value, we only need to compute the curve coeﬃcient A. Furthermore, one can compute curve coeﬃcient A only by using
NEON SIKE: Supersingular Isogeny Key Encapsulation on ARMv7
41
the xabscissas of two points xP and xQ and their diﬀerence xR using A=
(1 − xP xQ − xP xR − xQ xR )2 − xP − xQ − xR , 4xP xQ xR
(1)
where xR = xP − xQ is also a point on E. This leads to a signiﬁcant performance improvement of SIDH since at the beginnig of the second round of keyexchange, each party can eﬃciently retrieve other party’s public key. We observe that the curve coeﬃcient computation from (1) can be also computed projectively to eliminate the expensive ﬁeld inversion. However, since this value needs to be evaluated in the second round of the protocol from exchanged public values, the Zcoordinates are also required to be encapsulated inside the public parameters which increases the publickey size. Therefore, it is not reasonable to sacriﬁce the most important beneﬁt of isogenybased cryptography, i.e., small key size, to a negligible performance improvement. 2.2
Supersingular Isogeny Key Encapsulation (SIKE) Mechanism
Public Parameters. SIKE protocol [19], similar to other PQC schemes, is deﬁned over a set of public and secret set of parameters. The public parameters of the key encapsulation mechanism are listed as follows: 1. A prime p of the form p = eAA eBB − 1, where eA , eB are two positive integers. The corresponding ﬁnite ﬁeld is deﬁned over Fp2 . Note that the form of the prime which is proposed in the SIKE deﬁnition is sligtly diﬀerent from the one which was originally proposed by Jao and De Feo. This slight diﬀerence is for the eﬃciency reason; this form enables the implementation to adopt a tailored version of Montgomery reduction [13], while it does not aﬀect the security level of the protocol at the same bitlength. In this work, we take advantage of this special form inside the reduction implementation. Moreover, the form of the prime contains two small integers A and B which deﬁne the order of torsion subgroups for isogeny computations. In particular, the isogeny computations using V´elu’s formula need to be constructed over these torsion subgroups, i.e., E[eAA ] and E[eBB ] of points on the curve for each party. 2. A starting supersingular Montgomery curve E0 : y 2 = x3 + x deﬁned over Fp2 . 3. Two sets of generators which contain 3tuple xcoordinates from E0 [eAA ] and E0 [eBB ]. For the eﬃciency reasons, the 3tuple contains two distinct points and their diﬀerence represented in xcoordinates to encode these bases, i.e., xRA = xPA − xQA and xRB = xPB − xQB . The key encapsulation mechanism is a protocol between two parties which generates a sharedsecret between the communication entities using public parameters. In this section, we describe the SIKE protocol. We refer the readers to [19,20] for more details.
42
A. Jalali et al.
Key Generation. The key generation randomly chooses a secretkey from keyspace KB and computes the corresponding publickey, i.e., a 3tuple xcoordinates pkB by evaluating eBB degree isogeny from starting curve E0 to EB . Moreover, an nbit secret random message s ∈ {0, 1}n is generated and concatenated to skB and pkB to construct the SIKE secretkey skB . The generated pkB and skB are the output of this procedure [19]: E0 → EB /xPB + [skB ]xQB → skB : (s, skB , pkB ).
(2)
Key Encapsulation. This algorithm gets the generated publickey pkB from the keygeneration procedure as the input. First, an nbit random string m ∈ {0, 1}n is generated and concatenated with the publickey pkB . Further, the result is hashed using the hash function (cSHAKE256) G. This produced hash value is the ephermeral secretkey r which is used to compute the SIKE ciphertext. The hash function H inside the encryptor is also a cSHAKE256 function. The generated ciphertexts are further concatenated with m and hashed to generate the SIKE sharedkey K [19]:
B = [EB , φB (xPA ), φB (xQA )] s ∈R {0, 1}
(c0 ,c1 )
m ∈R {0, 1} r = G( B , m) A (r) = [EA , φA (xPB ), φA (xQB )] j = j(EAB ) ( B , m, r) → (c0 , c1 ) (c0 , c1 ) = ( A (r), G(jinv ) ⊕ m) K = H(m (c0 , c1 ))
←−−−− j = j(EBA ) m = c1 ⊕ G(j ) r = G( B , m ) A (r ) = c0 → K = H(m (c0 , c1 )) (r ) = c → K = H(s (c0 , c1 )) 0 A
Fig. 1. SIKE protocol using isogenies on supersingular curves.
Enc(pkB , m, G(m pkB )) → (c0 , c1 ) H(m (c0 , c1 )) → K.
(3)
NEON SIKE: Supersingular Isogeny Key Encapsulation on ARMv7
43
Key Decapsulation. Computes the sharedkey K from the outputs of equations (2) and (3). First, 2tuple ciphertext is decrypted using secretkey skB and hashed to retrieve m . Further, m is concatenated with publickey pkB and hashed using the G function to retrieve an ephemeral secretkey r [19]. Dec(skB , (c0 , c1 )) → m G(m pkB ) → r . Next, c0 is computed by evaluating eAA isogeny of starting curve E0 using the kernel xPA + [r ]xQA : E0 → EA /xPA + [r ]xQA → c0 . The ﬁnal correction deﬁnes the exact value of the sharedkey as follows: if the c0 value and c0 are equal, the sharedkey K is computed as K = H(m (c0 , c1 )) which is the correct shared key, otherwise the provided ciphertext is not correct and the shared key should be randomly generated as K = H(s (c0 , c1 )) to be INDCCA secure [19]. The whole key encapsulation mechanism is illustrated in Fig. 1. In the next section, we describe SIKE parameters and a brief discussion on the security of supersingular isogenybased problem.
3
SIKE Parameters and Security
The ﬁrst proposal on constructing publickey cryptography schemes from the isogenies of regular elliptic curves was introduced by Rostovtsev and Stolbunov [27] in 2006. Later, CharlesLauterGoren [11] presented a set of cryptography hash functions constructed from Ramanujan graphs, i.e., the set of supersingular elliptic curves over Fp2 with isogenies. Inspired by their work, Jao and De Feo introduced the ﬁrst postquantum cryptography protocol based on the hardness of computing isogenies [20] which has exponential complexity against classical and quantum attacks such as Childs et al. [12] quantum attack. In 2016, Galbraith et al. [15] proposed a set of new attacks on the security of SIDH which proved the security vulnerabilities inside the protocol when Alice and Bob reuse static keys. To address this problem, SIKE scheme implements an actively secure key encapsulation (INDCCA KEM) which resolves the static key issue. Currently, the best known quantum attack against the Computational Supersingular Isogeny (CSSI) problem is based on clawﬁnding algorithm using quantum √ walks [31], which theoretically can ﬁnd the isogeny between two curves in O( 3 e ), where e is the size of the isogeny kernel; accordingly, the provided quantum security level for SIKE is inherited by the minimum bitlength of each isogeny kernel, i.e., min( 3 eAA , 3 eBB ). This deﬁnition can be scaled up for diﬀerent isogenybased protocols such as undeniable signature [17,21] which is constructed on three of such torsion subgroups. In thiscase, the quantum security level of the protocol can be deﬁned as min( 3 eAA , 3 eBB , 3 eCC ).
44
A. Jalali et al.
Recent work by Adj et al. [1] provides a set of realistic models of quantum computation on solving CSSI problem. Based on their analysis, the OorschotWiener golden collision search is the most powerful attack on the CSSI problem [1]; accordingly, both classical and quantum security level for SIKE and SIDH protocols are increased signiﬁcantly for the proposed parameters set [19]. In particular, they claimed that 434 and 610bit primes can meet NIST’s category 2 and 4 requirements, respectively [1]. However, in this work, we still focus on the implementation of the conservative parameter sets which are proposed in [19] to illustrate the eﬃciency of our library even over relatively large ﬁnite ﬁelds. The proposed implementation targets three diﬀerent levels of security in compliance with SIKE parameter sets, i.e., SIKEp503, SIKEp751, and SIKEp964 providing 83, 124, and 159bit conservative quantum security. We discuss the details of our implementation in the next section.
4
Optimized Implementation on ARMv7A Processors
Supersingular isogenybased cryptography provides the smallest key size compared to other PQC candidates. This feature is favorable for the applications such as IoT device communication with a central hub with limited bandwidth for each client. However, as already mentioned, large degree isogeny computations require a large amount of ﬁnite ﬁled arithmetic operations on elliptic curves. This is in contrast with IoT protocol requirements where the communications should be reasonably eﬃcient in terms of power and time. To address this problem, since the invention the isogenybased cryptography, eﬃcient implementations of this primitive have been proposed on a variety of platform. In this section, we describe a highlyoptimized implementation of key encapsulation mechanism on ARMv7A platforms which are equipped with NEON technology; we need to describe our target platforms and introduce their capabilities ﬁrst, and then discuss the methodology we used which leads to remarkable performance improvement of the library. 4.1
Target Platform
Our implementation is optimized for the 32bit ARMv7 CortexA with a focus on two cores, i.e., A8 and A15. Note that the proposed library can be run on other ARMv7A cores which support NEON technology. We describe the target platform capabilities in the following: CortexA8. Similar to other ARM processors, this core performs operations through a pipeline with diﬀerent stages. First, the instruction fetch unit loads the fetched instructions from L1 cache and stores them into a buﬀer. Next, the decode unit decodes the instructions and passes them to the execute unit where all the arithmetic operations are performed inside a pipeline. This family of processors takes advantage of a separate 10stage NEON pipeline in which all the NEON instructions are decoded and executed [3]. Since CortexA8 is a powereﬃcient processor, the execution pipeline performs inorder execution of
NEON SIKE: Supersingular Isogeny Key Encapsulation on ARMv7
45
the instructions, and all the instructions are queued in the pipeline. This leads to a remarkable performance degradation, while reduces the power consumption. CortexA15. This highperformance core beneﬁts from an advanced microcontroller bus architecture as well as fully outoforder pipeline. This core consists of one to four processing units inside a single MPCore device providing fast L1 and L2 cache subsystems [2]. The main advantage of this processor over the other ARMv7A cores is its outoforder variablelength pipeline which enhances the instructions operation signiﬁcantly. We benchmark our library on this processor to show the eﬃciency of our design when it runs on the highperformance cores. We state that, this family of processors is often used in the applications where the powerconsumption is not crucial. Both CortexA8 and CortexA15 processors feature 32 NEON vectors which are 128bit wide and can be accessed using d and q notations which provide 64bit or 128bit overview of data, respectively. The main performance improvement of handcrafted assembly implementation comes from this feature since we take advantage of these wide vectors and SIMD arithmetic unit to boost up the ﬁeld arithmetic operations. Moreover, the wide vectors reduce the number of expensive memoryregister transitions by loading and storing multiple vectors at once using ldmia and stmia instructions. In the following section, we describe our method in details. 4.2
Arithmetic Optimization
Finite ﬁeld arithmetic are the fundamental operations inside any publickey cryptography scheme. Isogenybased cryptography, at the lowest level, requires hundred thousands of ﬁeld arithmetic operations to compute the largedegree isogenies. Moreover, since the supersingular curve is constructed over an extension ﬁeld Fp2 , diﬀerent optimization techniques such as lazy reduction are adopted to boost the overall performance further. Recent work by FazHern´ andez et al. [14] shows that using some innovative optimization techniques such as precomputed lookup tables to improve the performance of group operation (threepoint ladder) can enhance the overall performance of the SIDH protocol; however, the improvements are not signiﬁcant compared to optimizations in the base ﬁeld arithmetic. Therefore, in this work, we concentrate on the lowest level of implementation hierarchy and optimize the expensive multiplication/reduction as well as large modular additions and subtractions functions. Note that we follow the strategy which is used in the SIKE reference implementation [19], and separate the multiplication and the Montgomery reduction methods to be able to adopt lazy reduction technique inside extension ﬁeld implementation. Addition and Subtraction. Although ﬁeld addition and subtraction are not very expensive operations, they can cause noticeable pipeline stalls over the large ﬁeld sizes. In particular, taking advantage of lazy reduction inside extension ﬁeld requires to have out of ﬁeld addition. This means over a bbit prime p, we also need to implement 2bbit addition and subtraction. On the constrained devices with 32bit architecture, this results in multiple load and store operations due
46
A. Jalali et al.
to the lack of enough number of registers. To address this problem, speciﬁcally in the case of SIKEp964 which requires the implementation of 2048bit addition and subtraction, we take advantage of NEON vectorization. The idea is simple and straightforward. Since the NEON parallel addition and subtraction do not support any carry/borrow propagation, we use vector transpose operation VTRN and zero vectors to divide a full 128bit vector into two vectors of 64bit data and use the 64bit space for carry/borrow propagation. This technique is inspired by the optimized NEON operandscanning Montgomery multiplication in [28]. This helps us to eliminate redundant load and store operations in A32 instructions and load multiple wide vectors at the same time. We observed notable performance improvement in addition and subtraction methods by adopting this technique. Multiplication. Since the release of ARMv7A series of processors equipped with NEON technology, diﬀerent optimized implementations of ﬁeld arithmetic have been proposed to exploit this capability. First attempts to implement cryptography multiplication and reduction over pseudoMersenne prime using NEON by Bernestein et al. [6] followed by the vectorized Montgomery multiplication implementation by Bos et al. [10] showed that vectorization can improve the eﬃciency of publickey cryptography protocols signiﬁcantly. Subsequently, Seo et al. [28] introduced an operandscanning Montgomery multiplication over generic form of primes with better performance results. Their implementation is highlyoptimized and takes advantage of parallel NEON addition. We believe their proposed method is the most eﬃcient way of implementing the Montgomery multiplication; however, in this work we need to implement the multiplication and the Montgomery reduction separately. Therefore, we follow the same implementation technique to vectorize multiprecision multiplication for the three different ﬁnite ﬁelds, i.e., 503, 751, and 964bit primes. We refer the reader to [28] for further details. Note that, in case of 964bit multiplication, we adopted onelevel Karatsuba multiplication to increase the availability of vector registers and reduce the pipeline stalls. We found this method to be very eﬀective for the relatively large ﬁelds. Tailored Montgomery Reduction. SIKE implementation parameters beneﬁt from a set of optimized reduction algorithms because of their special form. In particular, all the proposed parameters are Montgomeryfriendly primes. This reduces the complexity of Montgomery reduction from O(n2 + n) to O(n2 ), where n is the number of platform words to allocate the ﬁnite ﬁeld elements. Furthermore, Costello et al. [13] improved this complexity for the prime of the form p = 2eA .eBB − 1 by computing the Montgomery reduction regarding to pˆ = p + 1 and ignoring multiple multiplications with “0” words. Their proposed method is implemented using the productscanning (Comba) multiplication and the optimized implementation on Intel and ARMv8 processors are provided in the SIKE submission [19]. Since the optimized multiplication on ARMv7A platforms is designed based on operandscanning method, in this work, we design a tailored operandscanning Montgomery multiplication which beneﬁts from all the SIKEfriendly prime fea
NEON SIKE: Supersingular Isogeny Key Encapsulation on ARMv7 16
31
15 14 13 12 11 10
9
8
7
6
15 14 10 13
8
11
7
pˆ
a0 pˆ15
9
12
a0 pˆ7
a0 pˆ11 a0 pˆ12
a0 pˆ13 a0 pˆ14
a0 pˆ8
5
4
3
2
1
47
a
0
128bit NEON vector
a0 pˆ9 a0 pˆ10
+ a15 pˆ15
a15 pˆ11 a15 pˆ7 a15 pˆ12 a15 pˆ8 a15 pˆ13 a15 pˆ9 a15 pˆ14 a15 pˆ10
ma9 pˆ15
ma9 pˆ11 ma9 pˆ7 ma9 pˆ12 ma9 pˆ8 ma9 pˆ13 ma9 pˆ9 ma9 pˆ14 ma9 pˆ10
+ ma15 pˆ15
ma15 pˆ11 ma15 pˆ7 ma15 pˆ12 ma15 pˆ8 ma15 pˆ13 ma15 pˆ9 ma15 pˆ14 ma15 pˆ10
15 14 13 12 11 10
9
8
7
6
5
4
3
2
1
0
mc
Fig. 2. SIKEp503 Montgomery reduction using NEON instruction set.
tures. We only describe the implementation of SIKEp503 in this section; however, the same strategy is scaled up for the larger parameters. We illustrate our method in the Fig. 2. The 503bit value of pˆ = p503 + 1 has 9 nonzero elements which can be allocated inside three 128bit vector registers. Note that the third vector is only occupied with 32 bits and we can use the rest of it as per requirement. After loading pˆ into vector registers, we shuﬄe it in a new order as it is highlighted in Fig. 2. We load the ﬁrst 16 × 32bit (least signiﬁcant half) of the multiplication results into 4 vectors. We continuously update data inside these vectors until the end of the algorithm where the ﬁnal reduction result is stored back to the memory. As it is illustrated in Fig. 2, our implementation is based on the operandscanning method, in contrast to the eﬃcient implementations of SIKE submission which are all based on Comba method. At the beginning of the algorithm, we transpose the values inside pˆ in a special order to be able to use the NEON parallel multiplication. In the middle of the algorithm, we need to compute the ma array which is computed by multiplication and addition of the input operand with pˆ. The proposed method reduces the total number of multiplication inside the Montgomery reduction algorithm notably and provides the optimal timing results. Similar to [28], we take advantage of VMLAL instruction inside our code which computes the multiplication and addition with previous values inside a vector at once. This instruction eliminates hundreds of addition instructions inside the code, while it requires the exact same number of clock cycles as VMULL to execute the arithmetic. Considering other possible implementations of tailored Montgomery reduction, we believe the above method is the most eﬃcient way of implementing this algorithm on ARMv7A processors to date. We justify
48
A. Jalali et al.
our claim by the signiﬁcant performance improvement which we obtain in this work in the following section.
5
Performance Result and Discussion
In this section, we provide the performance results of the SIKE protocol on the target platforms for diﬀerent security levels. Moreover, we benchmarked the portable C implementation of the protocol and include it to show the enhancement we obtain by using NEON instructions and our proposed optimized implementation. We benchmark our library on two ARMv7powered devices: – A BeagleBone development board equipped with a lowpower CortexA8 running at 1.0 GHz. – An NVIDIA JetsonTK1 board with a CortexA15 core running at 2.3 GHz. Table 1. Performance results (presented in millions of clock cycles) of the proposed softwares in comparison with reference implementation on ARMv7A platforms (benchmarks were obtained on 1.0 GHz CortexA8 and 2.3 GHz CortexA15 cores running Linux) Scheme
Operation NEON ASM Optimized C [19] CortexA8 CortexA15 CortexA8 CortexA15
SIKEp503 KeyGen. Encap. Decap. Total
99 162 174 435
68 112 121 301
813 1, 339 1, 424 3, 576
577 910 955 2, 442
SIKEp751 KeyGen. Encap. Decap. Total
364 589 618 1,571
280 439 491 1,210
2, 842 4, 598 4, 944 12, 384
2, 089 3, 331 3, 531 8, 951
SIKEp964 KeyGen. Encap. Decap. Total
870 1,504 1,598 3,972
635 1,098 1,176 2,909
6, 037 10, 376 10, 835 27, 248
4, 409 7, 678 7, 963 20, 050
The binaries are natively compiled with gcc 4.7.3 using O3 fomit framepointer mfloatabi=softfp mfpu=neon ﬂags. In case of SIKEp964 on CortexA8, we crosscompiled the library using armlinuxgnueabigcc 7.3.0 due to memory limitations on BeagleBone development board. We benchmarked the executables using taskset command to ensure that the code is benchmarked only on a single core. Table 1 shows the performance of our library in comparison with the portable version on each target platform.
NEON SIKE: Supersingular Isogeny Key Encapsulation on ARMv7
49
Based on the benchmark results, our arithmetic libraries improve the performance of the portable version roughly 7.5 times on both platforms. This signiﬁcant improvement is obtained from the parallelism and wide vectorization by adopting NEON assembly instruction set. We state that even twolevel Karatsuba multiplication can be beneﬁcial for the large parameter sets on some platforms; however, we believe 512bit multiplication using NEON can be implemented optimally on ARMv7A processors and further division of the computation may not provide any performance improvement. Since the CortexA8 is working at 1.0 GHz frequency, the obtained clock cycles are also representing the actual time in milliseconds. Therefore, the entire key encapsulation mechanism takes 1.5 and 3.9 s for SIKEp751 and SIKEp964, respectively using NEON assembly optimizations. While these timings are smaller than portable implementation results, they still can result in latency challenges on lowpower embedded devices.
6
Conclusion
In this work, we presented a set of highlyoptimized ARMv7A arithmetic library integrated into the SIKE reference implementation. We benchmarked our library on two popular ARMv7A cores and compared the performance with optimized portable version. The proposed libraries improve the performance of the key encapsulation protocol signiﬁcantly; accordingly, the total number of clock cycles as well as power consumption is decreased notably. This makes it possible for the SIKE scheme to be used on lowpower IoT devices which are equipped with ARMv7 core such as CortexA8. We engineered the ﬁled multiplication and reduction so that they are ﬁt for the SIKE parameters over diﬀerent quantum security levels. In particular, we suggested using the operandscanning method instead of productscanning method for modular multiplication and reduction on NEON technology. The main motivation behind this work was to evaluate the optimized targetspeciﬁc codes for SIKE protocol. Moreover, we believe supersingular isogeny cryptography deserves more investigation by scientists and engineers because of its advantages such as small key size. We hope this work be a motivation for the further investigation into the eﬃciency of the SIKE protocol on embedded devices. The recent optimized implementation of SIDH protocol on ARMv7A platforms by Seo et al. [29] was not publicly available at the time of the submission of this work. We state that the proposed optimization techniques in this work diﬀers from [29]. Moreover, this work presents the eﬃcient implementation of SIKE protocol, while authors of [29] target SIDH keyexchange on ARMv7A platforms. Acknowledgment. The authors would like to thank the reviewers for their comments. This work is supported in parts by grants from NIST60NANB16D246 and ARO W911NF1710311.
50
A. Jalali et al.
References 1. Adj, G., CervantesV´ azquez, D., ChiDom´ınguez, J., Menezes, A., Rodr´ıguezHenr´ıquez, F.: On the cost of computing isogenies between supersingular elliptic curves. IACR Cryptology ePrint Archive 2018, 313 (2018). https://eprint.iacr.org/ 2018/313 2. ARM Limited: CortexA15 Technical Reference Manual (2010). http://infocenter. arm.com/help/topic/com.arm.doc.ddi0438c/DDI0438C cortex a15 r2p0 trm.pdf. Accessed June 2018 3. ARM Limited: CortexA8 Technical Reference Manual (2010). http://infocenter. arm.com/help/topic/com.arm.doc.ddi0344k/DDI0344K cortex a8 r3p2 trm.pdf. Accessed June 2018 4. Azarderakhsh, R., Fishbein, D., Jao, D.: Eﬃcient implementations of a quantumresistant keyexchange protocol on embedded systems. Technical report (2014). http://cacr.uwaterloo.ca/techreports/2014/cacr201420.pdf 5. Bernstein, D.J., et al.: Classic McEliece: conservative codebased cryptography. NIST submissions (2017) 6. Bernstein, D.J., Schwabe, P.: NEON crypto. In: Prouﬀ, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 320–339. Springer, Heidelberg (2012). https:// doi.org/10.1007/9783642330278 19 7. Boneh, D., et al.: Multiparty noninteractive key exchange and more from isogenies on elliptic curves. arXiv preprint arXiv:1807.03038 (2018) 8. Bos, J.W., Friedberger, S.: Fast arithmetic modulo 2x py ± 1. In: 24th IEEE Symposium on Computer Arithmetic, ARITH 2017, London, United Kingdom, pp. 148–155 (2017) 9. Bos, J.W., Friedberger, S.: Arithmetic considerations for isogeny based cryptography. IEEE Trans. Comput. (2018) 10. Bos, J.W., Montgomery, P.L., Shumow, D., Zaverucha, G.M.: Montgomery multiplication using vector instructions. In: Lange, T., Lauter, K., Lisonˇek, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 471–489. Springer, Heidelberg (2014). https:// doi.org/10.1007/9783662434147 24 11. Charles, D.X., Lauter, K.E., Goren, E.Z.: Cryptographic hash functions from expander graphs. J. Cryptol. 22(1), 93–113 (2009) 12. Childs, A.M., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1–29 (2014) 13. Costello, C., Longa, P., Naehrig, M.: Eﬃcient algorithms for supersingular isogeny DiﬃeHellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662530184 21 14. FazHern´ andez, A., L´ opez, J., OchoaJim´enez, E., Rodr´ıguezHenr´ıquez, F.: A faster software implementation of the supersingular isogeny diﬃehellman key exchange protocol. IEEE Trans. Comput. (2017) 15. Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). https://doi.org/10.1007/ 9783662538876 3 16. Galbraith, S.D., Petit, C., Silva, J.: Identiﬁcation protocols and signature schemes based on supersingular isogeny problems. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 3–33. Springer, Cham (2017). https://doi. org/10.1007/9783319706948 1
NEON SIKE: Supersingular Isogeny Key Encapsulation on ARMv7
51
17. Jalali, A., Azarderakhsh, R., MozaﬀariKermani, M.: Eﬃcient postquantum undeniable signature on 64Bit ARM. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 281–298. Springer, Cham (2018). https://doi.org/10.1007/ 9783319725659 14 18. Jalali, A., Azarderakhsh, R., Kermani, M.M., Jao, D.: Supersingular isogeny DiﬃeHellman key exchange on 64bit arm. IEEE Trans. Dependable Secure Comput. (2017) 19. Jao, D., et al.: Supersingular isogeny key encapsulation. Submission to the NIST PostQuantum Standardization project (2017). https://csrc.nist.gov/Projects/ PostQuantumCryptography/Round1Submissions 20. Jao, D., De Feo, L.: Towards quantumresistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642254055 2 21. Jao, D., Soukharev, V.: Isogenybased quantumresistant undeniable signatures. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 160–179. Springer, Cham (2014). https://doi.org/10.1007/9783319116594 10 22. Karmakar, A., Roy, S.S., Vercauteren, F., Verbauwhede, I.: Eﬃcient ﬁnite ﬁeld multiplication for isogeny based post quantum cryptography. In: Duquesne, S., PetkovaNikova, S. (eds.) WAIFI 2016. LNCS, vol. 10064, pp. 193–207. Springer, Cham (2016). https://doi.org/10.1007/9783319552279 14 23. Koziel, B., Azarderakhsh, R., Kermani, M.M., Jao, D.: Postquantum cryptography on FPGA based on isogenies on elliptic curves. IEEE Trans. Circuits Syst. 64–I(1), 86–99 (2017) 24. Koziel, B., Jalali, A., Azarderakhsh, R., Jao, D., MozaﬀariKermani, M.: NEONSIDH: eﬃcient implementation of supersingular isogeny DiﬃeHellman key exchange protocol on ARM. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 88–103. Springer, Cham (2016). https://doi.org/10.1007/9783319489650 6 25. Naehrig, M., et al.: FrodoKEM: practical quantumsecure key encapsulation from generic lattices. NIST submissions (2017) 26. Poppelmann, T., et al.: Newhope. NIST submissions (2017) 27. Rostovtsev, A., Stolbunov, A.: Publickey cryptosystem based on isogenies. IACR Cryptology ePrint Archive 2006, 145 (2006) 28. Seo, H., Liu, Z., Großsch¨ adl, J., Choi, J., Kim, H.: Montgomery modular multiplication on ARMNEON revisited. In: Lee, J., Kim, J. (eds.) ICISC 2014. LNCS, vol. 8949, pp. 328–342. Springer, Cham (2015). https://doi.org/10.1007/9783319159430 20 29. Seo, H., Liu, Z., Longa, P., Hu, Z.: SIDH on ARM: faster modular multiplications for faster postquantum supersingular isogeny key exchange. IACR Cryptology ePrint Archive 2018, 700 (2018) 30. Silverman, J.H.: The Arithmetic of Elliptic Curves. GTM, vol. 106. Springer, New York (2009). https://doi.org/10.1007/9780387094946 31. Tani, S.: Claw ﬁnding algorithms using quantum walk. Theor. Comput. Sci. 410(50), 5285–5297 (2009) 32. V´elu, J.: Isog´enies entre courbes elliptiques. CR Acad. Sci. Paris S´er. AB 273, A238–A241 (1971) 33. Yoo, Y., Azarderakhsh, R., Jalali, A., Jao, D., Soukharev, V.: A postquantum digital signature scheme based on supersingular isogenies. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 163–181. Springer, Cham (2017). https://doi.org/10. 1007/9783319709727 9
A Machine Vision Attack Model on Image Based CAPTCHAs Challenge: Large Scale Evaluation Ajeet Singh(B) , Vikas Tiwari(B) , and Appala Naidu Tentu(B) C.R. Rao Advanced Institute of Mathematics, Statistics, and Computer Science, University of Hyderabad Campus, Hyderabad 500046, India aje
[email protected],
[email protected],
[email protected]
Abstract. Over the past decade, several public web services made an attempt to prevent automated scripts and exploitation by bots by interrogating a user to solve a Turingtest challenge (commonly known as a CAPTCHA) before using the service. A CAPTCHA is a cryptographic protocol whose underlying hardness assumption is based on an artiﬁcial intelligence problem. CAPTCHAs challenges rely on the problem of distinguishing images of living or nonliving objects (a task that is easy for humans). User studies proves, it can be solved by humans 99.7% of the time in under 30 s while this task is diﬃcult for machines. The security of image based CAPTCHAs challenge is based on the presumed diﬃculty of classifying CAPTCHAs database images automatically. In this paper, we proposed a classiﬁcation model which is 95.2% accurate in telling apart the images used in the CAPTCHA database. Our method utilizes layered features optimal tuning with an improved VGG16 architecture of Convolutional Neural Networks. Experimental simulation is performed using Caﬀe deep learning framework. Later, we compared our experimental results with signiﬁcant stateoftheart approaches in this domain. Keywords: Computing and information systems · CAPTCHA Botnets · Security · Machine learning · Advanced neural networks Supervised learning
1
Introduction
A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) can be considered as a test V, on which majority of humans have success probability almost close to 1, whereas its hard to write a computer program that has high success rate on test V. If any program exists that has high success over V can be utilized to solve a hard AI problem [10]. The important characteristics of a CAPTCHA are: (A) Easy for a user to solve. (B) Diﬃcult for a program/automated script or a computer to solve. Mainly CAPTCHA’s challenge are of two types  text based CAPTCHA and image based CAPTCHA. c Springer Nature Switzerland AG 2018 A. Chattopadhyay et al. (Eds.): SPACE 2018, LNCS 11348, pp. 52–64, 2018. https://doi.org/10.1007/9783030050726_4
Attack Model on Image based CAPTCHAs
53
While the security of text based CAPTCHAs rely on hardness of distinguishing distorted text through machines, image based CAPTCHAs rely on the problem of distinguishing images of object A and B. It possesses many practical security oriented applications, i.e. – Search Engine Bots: Some websites want to prevent themselves to be indexed by various search engines but the speciﬁc html tag which prevent search engine bots [1] fron reading web pages, doesn’t guarantee that those bots will never read the pages. So, CAPTCHAs are needed to make sure that bots are not entering into targeted web site. – Free Email Services: “Bots” is a speciﬁc type of attack, with which companies like Microsoft, Indiatimes, Yahoo! etc. suﬀer shall be need to face while oﬀering free email services. “Bots” can do sign up for millions of email accounts per minute. This drastic situation can be avoided by asking user to prove that they are human before they process. Some of the examples of CAPTCHAs challenge are given in Fig. 1. – Online Elections(evoting:) Online polls are also proven to be highly vulnerable through bots. In 1999, slashdot.com released an online poll asking which was the best graduate school in computer science (a dangerous question to ask over the web!). As is the case with most online polls, IP addresses of voters were recorded in order to prevent single users from voting more than once. However, students at Carnegie Mellon found a way to stuﬀ the ballots by using programs that voted for CMU thousands of times. CMU’s score started growing rapidly. The next day, students at MIT wrote their own voting program and the poll became a contest between voting bots. MIT ﬁnished with 21,156 votes, Carnegie Mellon with 21,032 and every other school with less than 1,000. So, can we trust the result of any online poll?
Fig. 1. CAPTCHA solving services
54
1.1
A. Singh et al.
Motivation and Our Contribution
In the case of conventional cryptography, for an instance, one assumption taken is that  in a reasonable amount of time, an adversary can’t factor 2048bit integer. In the same way, CAPTCHA model functions on an assumption that the adversary can’t solve an AI (Artiﬁcial Intelligence) problem with higher accuracy than what is currently known among the AI community. If the considered AI problem is useful, CAPTCHA implies a winwin situation  either its hard to break CAPTCHA and there exist a way to diﬀerentiate humans from machines, or a CAPTCHA is broken and an appropriate AI problem can be solved successfully. The main contributions of our paper are as follows – We have given an extensive stateoftheart review. – We propose an attack model for image based CAPTCHAs challenge and performed experiments on high end Tesla K80 GPU accelerator up to 8.73 teraﬂops singleprecision performance. We also compare our proposed technique with earlier techniques described in literature. 1.2
Preliminaries: Definitions and Notation
Here we present some deﬁnitions and notations. Consider γ be a PDF (probability distribution function), [γ]: denote the support of γ. If P(.) denotes probabilistic program, then we denote Pr (.) as the deterministic program. Let, (P, V) is a pair of probabilistic interacting programs, then denote the output of V after interaction between P and V with random coins u1 & u2 , (here assume, this interaction will terminate by < Pu1 , Vu2 >). Test: A program V is called a test if ∀ P and u1 , u2 , the interaction between Pu1 & Vu2 terminates and < Pu1 , Vu2 > ∈ {Accept, Reject}. We termed V as tester (veriﬁer) and any P which interacts with V the prover. Definition 1. Deﬁne the success of an entity A over a test V by SuccessVA = Pr(r,r ) [< Ar , Vr >= Accept] Here, we assume that A can have precise knowledge of how program V functions; A can’t know  (the factor r , internal randomness of V). Definition 2. A test V is said to be (α, β)  human executable if at least an α portion of object (human) density is having success greater than β over tester (V). Note: The success of various groups of humans may depend on several biological/nonbiological factors, their origin language, sensory disabilities etc. For an instance, partial colorblind individual might posses comparatively lesser success rate on tests. Definition 3. A triple φ = (S, D, f) represents an AI problem, where S: a set of problem instances, D: a probability distribution over the problem set S, and
Attack Model on Image based CAPTCHAs
55
f: S → {0, 1}∗ answers the instances. Let, δ ∈ (0, 1]. For an α > 0 fraction of humans H, Prx←D [H(x) = f (x)] > δ Definition 4. An AI problem will be considered to be (δ, τ )  solved if ∃ a program A, running in time at most τ on any input from S, such that, Prx←D,r [Ar (x) = f (x)] ≥ δ Definition 5. An (α, β, η)  CAPTCHA is a test V i.e. its (α, β)  human executable with success and posses following property ∃ (δ, τ )  hard AI problem φ and a program A, such that if B has success more than η over test V, then AB is a (δ, τ ) solution to φ. Overfitting and Underfitting: Overﬁtting generally occurs when a model learns the noise in the training data to the scope that it impacts the performance of the model on new data in negative way. The meaning is that the noise or random ﬂuctuations in the training data is picked up and learned as concepts by the model. Overﬁtting is more likely with nonparametric and nonlinear models that have more ﬂexibility when learning a target function. Underﬁtting all to a model that can neither model the training data nor generalize to the new unseen data. An underﬁt machine learning prototype is not a suitable model and will be selfevident as it will have performance deﬁciency on the training data. An illustration is shown in Fig. 2.
Fig. 2. Overﬁtting and underﬁtting
1.3
Organization of the Paper
The organization of this paper is as follows. In Sect. 2, we review related work brieﬂy. A brief discussion about threat possibilities in form of attacks is discussed in Sect. 3. In Sect. 4, our proposed attack model is described. An extensive experimental analysis is given in Sect. 5. Conclusive summary is given in Sect. 6.
56
A. Singh et al.
2
Related Work
Firstly, the idea for “Automated Turing Tests” appeared in an unpublished manuscript by Naor [5], but it didn’t contain any practical proposal. For preventing“bots” from automatically registering web pages, ﬁrst practical example of an Automated Turing Test was developed by [6]. The challenge was based on the hardness of  reading and recognizing slightly distorted english characters. Similar systems were developed by Coates et al. [7], Xu et al. [8] and Ahn et al. [9]. Simard et al. showed that Optical Character Recognition can achieve humanlike accuracy, even in the case, when letters are distorted, as long as the image can be reliably segmented into its constituent letters [11]. Mori et al. [12] demonstrated that von Ahn’s original CAPTCHA can be solved automatically 92% of the time. Chellapilla et al. [2] given the model design for human interaction proofs. Chew et al. [3] describe method using labelled photographs to generate a CAPTCHA. The authors Elson et al. [14] conjecture that “based on a survey of machine vision literature and vision experts at Microsoft Research, classiﬁcation accuracy of better than 60% will be diﬃcult without a signiﬁcant advance [15,16] in the state of the art”. Object recognition algorithms [17] were used in very successful breaks of the textbased Gimpy and EZGimpy CAPTCHAs. Attacks have been reported in the popular press against the CAPTCHAs used by Yahoo! [18] and Google [19]. Yan et al. [20] gives a detailed description of character segmentation attacks against Microsoft and Yahoo! CAPTCHAs. Chow et al. [21] given an attack approach for clickable CAPTCHAs. Recently, Google used convolutional neural network [22] for detecting home addresses in society images. Use of Recurrent Neural Networks achieved good results recently, as shown by the [23] paper by Google, where they generate a caption (variable length) for a given image. Kwon et al. in [13] proposed an approach with inclusion of uncertainty content in imagebased CAPTCHAs. Althamary et al. given a provably secure scheme [26] for CAPTCHAbased authentication in cloud environment. Tang et al. [27] proposed a generic and fast attack on text CAPTCHAs.
3
Threat Possibilities
Before going into the discussion of the security of image based CAPTCHAs [3], here we review the threat model. CAPTCHA challange models are an unusual area of security where one can’t guarantee to completely prevent attacks, only an attempt can be made practically to slow down attackers. From a mechanistic (orthodox) view, there exist no method to prove that a program cannot pass a test which a human can pass, since there is a program  the human brain  which passes the test. 3.1
Machine Vision Attacks
Based on the stateoftheart study and according to vision of experts, the classiﬁcation accuracy of better than 89% will be hard to achieve without signiﬁcant
Attack Model on Image based CAPTCHAs
57
advances in methodologies to deal with uncertain boundary region conditions. Some attacks of these types are adopted in literature which utilize color histogram analysis but are more theoretical and impractical upto signiﬁcant extent. 3.2
Brute Force Attack
The simplest and classical attack on image based CAPTCHAs is  brute force attack i.e. provide random solution to the CAPTCHA challenges until ﬁnal success. A token bucket scheme is discussed in [14]. In summary, the scheme castigates IP addresses that usually obtain many successive incorrect answers by asking them to answer two challenges in correct manner within the three attempts prior to gaining a ticket. In each 5.6 million guesses, attackers can expect only one service ticket. 3.3
Database Attacks
One possible way to induce attack on image based CAPTCHAs is to partially construct the underlying database. Every challenge, when it is displayed, reveals some portion of database but the question here is  “Is it economically feasible to rebuild the database?” This task may be easy for image database containing less number of images, but for a database which consists millions of images, this approach is unfeasible unless the ﬁnancial incentives are available. 3.4
Implementation Attacks
Weak implementations are vulnerability factors sometimes for CAPTCHAs. Consider, the case if same session id, in which the authorization is performed, is reused in repeated manner to gain access. In a statefull implementation scenario, user sessions and forms of stateful can be tracked while an stateless service may act as a solution to get rid of this scenario.
4
CAPTCHAs Challenge: Proposed Attack Model
Web services are often protected with a challenge that’s supposed to be easy for people to solve, but diﬃcult for computers. Such a challenge is often called a CAPTCHA or HIP (Human Interactive Proof) [2]. HIPs are used for many purposes, such as to reduce email and blog spam and prevent bruteforce attacks on web site passwords. In present scenario, GPUs, Deep Neural Networks and Big Data help us to solve some of the computationally hard problems that were previously seemed to be impossible. Deep learning frameworks and libraries removed the limitation that any computer researcher can only solve those problems whose solutions are expressible as stepwise instructions. In this section, we show that using Deep Convolutional Neural Network, our model can learn the mapping between huge amount of 256 × 256 input color images to an output stipulating the likelihood that each CAPTCHA image belonged to an speciﬁc class  either
58
A. Singh et al.
Fig. 3. Proposed classiﬁcation based attack model
Attack Model on Image based CAPTCHAs
59
class ‘A’ or class ‘B’ with better accuracy. The detailed componentwise diagram for our adopted attack model is represented as Fig. 3.
Algorithm 1. Proposed Classiﬁcation based Attack Model Steps 1: Begin procedure Input: Large sized CAPTCHA images database 2: Use .ﬂow from directory() to generate Batches of image data (and their labels) directly from our jpgs in their respective folders. 3: Augment training section via several random transformations. This will prevent images’ collision while precomputation, as well as prevents model overﬁtting. 4: Deploy Convolutional Neural Network (convnet) with VGG16 architecture. 5: Modulate the entropic capacity by opting one of available choice i.e. choice of parameters count in model (count of layers along with each layer size) or choice of employing weight regularization (e.g. L1 or L2 regularization). 6: A layer is prevented from pattern matching redundantly by reduction in overﬁtting through Dropout. 7: Choose appropriate number of convolution layers along with corresponding LRN (Local Response Normalization) layer, ReLU (Rectiﬁed Linear Unit) and followed by MAXPooling layers. 8: Model is endup with ReLU7 and Dropout7 functional layers. It seems to be perfect for binary classiﬁcation based attack model. 9: Model is trained using Batch generators upto optimal epochs. More computational eﬃcacy is achieved by storing the features oﬄine instead of adding fully connected model directly on top of a frozen convolutional base. 10: Finetune the model using steps 1116. 11: Adopt instantiation of the VGG16 convolutional base and load weights (layers parameters). 12: Add fullyconnected model (deﬁned previously) on the top, and load its weights (very small weight updates). 13: Perform freezing the layers of VGG16 model till last convolutional block. 14: Adopt comparatively more contentious data augmentation and dropout. 15: Finetune an extended convolutional block beside higher regularization. 16: Steps 1115 must be done preferably with a very slow learning rate. 17: End procedure
5
Experimental Analysis and Discussion of Results
This section presents the experimental setup, description of utilized CAPTCHA database, our results and ﬁnally the comparison of obtained results with stateoftheart approaches.
60
5.1
A. Singh et al.
Experimental Setup
In our experiments the software and hardware speciﬁcations are as follows We utilized NGC (NVIDIA GPU Cloud). The high end Tesla K80 GPU accelerator consists of 4992 NVIDIA CUDA cores with a dualGPU design, 8.73 teraﬂops singleprecision performance, 24 GB of GDDR5 RAM, 480 GB/s aggregate memory bandwidth. Experimental model simulation is performed using Caﬀe [4] deep learning framework. 5.2
Dataset Description
For experimentation, Asirra database [24] is utilized. Asirra (Animal Species Image Recognition for Restricting Access) is a HIP (Human Interactive Proof) that works by asking users to identify photographs of cats and dogs. It is a security challenge which protects websites from bot attacks. The archive contains 25,000 images of dogs and cats. Asirra is unique because of its partnership with Petﬁnder.com, the world’s largest site devoted to ﬁnding homes for homeless pets. They have provided Microsoft Research with over three million images of cats and dogs, manually classiﬁed by people at thousands of animal shelters across the United States. The motivation behind choosing the cats and dogs as image CAPTCHA’s object categories is  Google images have about 262 million cat and 169 million dog images indexed. About 67% of United States household have pets (approx 39 million households have cats, approx 48 million households have dogs). Diﬃculty in automatic classiﬁcation of cats and dogs images was exploited to build a security system for web services. 5.3
Procedure and Results
The CAPTCHA images database obtained from Asirra are 256 × 256 pixels. Next, we have the collection of 25,000 images. First we performed manual categorization followed by manual veriﬁcation, in this process 331 misclassiﬁed images (which is 1.3% of the total archive) were identiﬁed and further moved into correct category. After this veriﬁcation procedure, we obtained 12,340 images of object category A (cats), 12,353 images of object category B (dogs) and 307 images placed in other category.Other category contained images which has either no well recognizable object (animal) or it contained both object A and B. Now the other category image instances are simply discared from experiment and rest of the images of object category A and object category B are kept. We adopted our procedure (given in Sect. 4). Each color feature vector consist of the statistical values named: {Minima, Maxima, Skewness, Mean, Standard deviation}; all these feature vectors are combined to form feature space. Next, we build the deep classiﬁer model for attacking Asirra. We used 75% : 25% split procedure for entire database archive, where 75% partition (18,520 images) are used for training [DBtrain] and 25% partition (6173 images) utilized for validation [DBval]. The total number of epochs used in the experiment is 26,
Attack Model on Image based CAPTCHAs
61
with that we achieved an optimal predictive power and performance without overﬁtting.
Fig. 4. Features representation at head portion pixels  (i) at left: object B(dog) (ii) at right: object A(cat)
Fig. 5. Performance graph
In Fig. 4, one can observe that head portion of the object’s body is the dominating part (better discrimination for categorization) in features representation and processing in our scenario. It gives an extra edge for better performance in our CAPTCHA attack task. The performance parameters are clearly visible in Fig. 5. Our trained machine achieved 95.2% accuracy (val), the entire simulation time was 2,113 s. Loss at validation is also represented in the same graph. Graph representation for Epoch vs Learning Rate is shown in Fig. 6. Imagebased
62
A. Singh et al.
Asirra CAPTCHA challenge contains a set of 12 images of objects A (Cats) and B (Dogs) at a time. For solving the challenge, one must be able to correctly diagnose the subset of dog images.
Fig. 6. Epoch vs learning rate ﬂuctuation
A machine classiﬁer possessing a success probability 0 < p < 1 of accurately categorizing a single Asirra archive image succeeds in interpreting a 12image challenge with probability p12 . VGG16 is chosen as base pretrained model over other models as it performed comparatively well due to its simple architecture and the ﬂexibility it provides in terms of choosing the number of network layers based on use case. As our experimental simulation resulted 95.2% accuracy, implies that Asirra image CAPTCHA challenge can completely automatically be solved with higher probability. 5.4
Comparison with StateoftheArt
This section presents the comparison of our adopted procedure with signiﬁcant stateoftheart CAPTCHA attack models/approaches in this domain. The comparative analysis is given in Table 1. In the table, almost all the methodologies i.e. Elson et al. [14], Golle et al. [25], SVM (Polynomial Kernel) and SVM (Radial Basis Function Kernel) which have been taken here into consideration for comparison point of view, were applied on the same dataset. The experimental simulation adopting our proposed procedure resulted 95.2% accuracy, which implies that Asirra image CAPTCHA challenge can completely automatically solved with higher probability. The comparative summary presented in Table 1 proves the novelty of our adopted procedure. Results shows that our procedure outperforms over other existing models/approaches.
Attack Model on Image based CAPTCHAs
63
Table 1. Comparative summary
6
Method/Reference
Data archive size in experiment CAPTCHA type Accuracy(%)
Elson et al. [14]
13,000 Training images
Image based
56.9%
Mori et al. [12]
362 Instances
Text based
92%
Golle et al. [25]
13,000 Training images
Image based
82.7%
SVM (Poly Kernel) 25,000 Images
Image based
81.3%
SVM (RBF Kernel) 25,000 Images
Image based
79.5%
Proposed procedure 25,000 Images
Image based
95.2%
Summary and Conclusions
The domains of cryptography and AI have a lot to bestow to one another. In literature, we investigated several attacks on text and image based CAPTCHAs. We described a machine vision based attack model (classiﬁer) which is 95.2% accurate in detecting apart the images in binary object categories in Asirra. The optimal possible obstacle against our machine vision based attack are strict Internet Protocol (IP) tracking schemes. These schemes can inhibit an adversary to request and attempt to solve exceeding number of CAPTCHA challenges. Another approach to enhance security is  web services should increase the number of images that are employed in challenges. Further work needs to be done to construct CAPTCHAs based on other hard AI problems. Acknowledgments. We would like to thank P.V. Ananda Mohan, Ashutosh Saxena for their valuable suggestions, insights and observations. We would also like to thank the anonymous reviewers whose comments helped improve this paper.
References 1. BotBarrier.com. On the web. http://www.botbarrier.com/ 2. Chellapilla, K., Larson, K., Simard, P., Czerwinski, M.: Designing human friendly human interaction proofs (HIPs). In: Proceedings of ACM CHI 2005 Conference on Human Factors in Computing Systems. Email and Security, pp. 711–720 (2005) 3. Chew, M., Tygar, J.D.: Image recognition CAPTCHAs. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 268–279. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540301448 23 4. http://caﬀe.berkeleyvision.org/ 5. Naor, M.: Veriﬁcation of a human in the loop or Identiﬁcation via the Turing Test. Unpublished Manuscript (1997). Electronically: www.wisdom.weizmann.ac. il/∼naor/PAPERS/human.ps 6. Lillibridge, M.D., Adabi, M., Bharat, K., Broder, A.: Method for selectively restricting access to computer systems. Technical report, US Patent 6,195,698, Applied April 1998 and Approved February 2001 7. Coates, A.L., Baird, H.S., Fateman, R.J.: Pessimal print: a reverse turing test. In: Proceedings of the International Conference on Document Analysis and Recognition (ICDAR 2001), Seattle WA, pp. 1154–1159 (2001)
64
A. Singh et al.
8. Xu, J., Lipton, R., Essa, I.: Hello, are you human. Technical Report GITCC0028, Georgia Institute of Technology, November 2000 9. von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: The CAPTCHA (2000). http:// www.captcha.net 10. von Ahn, L., Blum, M., Langford, J.: Telling humans and computers apart (Automatically) or how lazy cryptographers do AI. Commun. ACM (2002, to appear) 11. Simard, P., Steinkraus, D., Platt, J.C.: Best practices for convolutional neural networks applied to visual document analysis. In: International Conference on Document Analysis and Recognition, pp. 958–962. IEEE Computer Society (2003) 12. Mori, G., Malik, J.: Recognizing objects in adversarial clutter: breaking a visual CAPTCHA. In: Conference on Computer Vision and Pattern Recognition (CVPR 2003), pp. 134–144. IEEE Computer Society (2003) 13. Kwon, S., Cha, S.: A paradigm shift for the CAPTCHA race: adding uncertainty to the process. IEEE Softw. 33(6), 80–85 (2016) 14. Elson, J., Douceur, J., Howell, J., Saul, J.: Asirra: a CAPTCHA that exploits interestaligned manual image categorization. In: Proceedings of ACM CCS 2007, pp. 366–374 (2007) 15. Azakami, T., Shibata, C., Uda, R.: Challenge to impede deep learning against CAPTCHA with ergonomic design. In: IEEE 41st Annual Computer Software and Applications Conference, Italy (2017) 16. Golle, P., Wagner, D.: Cryptanalysis of a cognitive authentication scheme. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pp. 66–70. IEEE Computer Society (2007) 17. Mori, G., Malik, J.: Recognizing objects in adversarial clutter: breaking a visual CAPTCHA. In: Proceedings of the 2003 Conference on Computer Vision and Pattern Recognition, pp. 134–144. IEEE Computer Society (2003) 18. SlashDot. Yahoo CAPTCHA Hacked. http://it.slashdot.org/it/08/01/30/0037254. shtml. Accessed 29 Jan 2008 19. Websense Blog: Google’s CAPTCHA busted in recent spammer tactics, 22 February 2008. http://securitylabs.websense.com/content/Blogs/2919.aspx 20. Yan, J., El Ahmad, A.: A lowcost attack on a Microsoft CAPTCHA. In: Proceedings of ACM CCS (2008, to appear) 21. Chow, R., Golle, P., Jakobsson, M., Wang, X., Wang, L.: Making CAPTCHAs clickable. In: Proceedings of HotMobile (2008) 22. Goodfellow, I.J., Bulatov, Y., Ibarz, J., Arnoud, S., Shet, V.: Multidigit number recognition from street view imagery using deep convolutional neural networks. In: Proceedings of ICLR, April 2014 23. Vinyals, O., Toshev, A., Bengio, S., Erhan, D.: Show and tell: a neural image caption generator. arXiv:1411.4555 [cs.CV], 20 April 2015 24. www.microsoft.com/enus/download/details.aspx?id=54765 25. Golle, P.: Machine learning attacks against the Asirra CAPTCHA. In: CCS 2008, Virginia, USA, 27–31 October 2008 26. Althamary, I.A., ElAlfy, E.M.: A more secure scheme for CAPTCHAbased authentication in cloud environment. In: 8th International Conference on Information Technology (ICIT), Jordan, May 2017 27. Tang, M., Gao, H., Zhang, Y.: Research on deep learning techniques in breaking textbased CAPTCHAs and designing imagebased CAPTCHA. IEEE Trans. Inf. Forensics Secur. 13(10), 2522–2537 (2018)
Addressing SideChannel Vulnerabilities in the Discrete Ziggurat Sampler S´eamus Brannigan(B) , M´ aire O’Neill, Ayesha Khalid, and Ciara Raﬀerty Centre for Secure Information Technologies (CSIT), Queen’s University Belfast, Belfast, UK
[email protected]
Abstract. Postquantum cryptography with lattices typically requires high precision sampling of vectors with discrete Gaussian distributions. Lattice signatures require large values of the standard deviation parameter, which poses diﬃcult problems in ﬁnding a suitable tradeoﬀ between throughput performance and memory resources on constrained devices. In this paper, we propose modiﬁcations to the Ziggurat method, known to be advantageous with respect to these issues, but problematic due to its inherent rejectionbased timing proﬁle. We improve upon information leakage through timing channels signiﬁcantly and require: only 64bit unsigned integers, no ﬂoatingpoint arithmetic, no division and no external libraries. Also proposed is a constanttime Gaussian function, possessing all aforementioned advantageous properties. The measures taken to secure the sampler completely close sidechannel vulnerabilities through direct timing of operations and these have no negative implications on its applicability to latticebased signatures. We demonstrate the improved method with a 128bit reference implementation, showing that we retain the sampler’s eﬃciency and decrease memory consumption by a factor of 100. We show that this amounts to memory savings by a factor of almost 5,000, in comparison to an optimised, stateoftheart implementation of another popular sampling method, based on cumulative distribution tables.
1
Introduction
Latticebased Cryptography (LBC) has become popular in the ﬁeld of postquantum publickey primitives and aids research into more advanced cryptographic schemes such as fullyhomomorphic, identitybased and attributebased encryption. For a thorough review on applications and background of LBC, see [1]. This attention is partly due to the low precision arithmetic required to implement a lattice scheme, which rarely extends beyond common standard machine word lengths. The algorithmic complexities are based on vector operations over the integers. There is one, increasingly contentious, component which requires extra precision: Gaussian sampling. By cryptographic standards, this extra precision is low and begins and ends in the sampling phase. First introduced theoretically to c Springer Nature Switzerland AG 2018 A. Chattopadhyay et al. (Eds.): SPACE 2018, LNCS 11348, pp. 65–84, 2018. https://doi.org/10.1007/9783030050726_5
66
S. Brannigan et al.
LBC in [2], Gaussian sampling has been shown to reduce the required key sizes of lattice schemes, but also to be prone to side channel attacks. As an example of this, an attack [3] on the sampler in the latticebased signature scheme, BLISS [4], has been demonstrated using timing diﬀerences due to cache misses. Regardless of the push toward other solutions for cryptographic primitives, Gaussian sampling is prevalent in LBC. It appears in the proofs of security of the fundamental problems [2] and the more advanced applications, especially those using lattice trapdoors [5], rely on it. Each of these applications will be expected to adapt to constrained devices in an increasingly connected world. The NIST call for postquantum cryptographic standards [6] has resulted in a large number of latticebased schemes being submitted, of which a signiﬁcant proportion use Gaussian sampling [7–9]. Issues around the timing side channel exposed by the Gaussian sampling phase would ideally be dealt with by implementing outright constanttime sampling routines. However, popular candidates for LBC include the CDT [10] and Knuth/Yao [11] samplers, based on cumulative distribution tables and random tree traversals, respectively. The impact of ensuring constanttime sampling with these methods is a reduction in their performance. 1.1
Related Work
The large inherent memory growth of these samplers with increasing precision and standard deviation, combined with constanttime constraints, prompted the work of Micciancio and Walter [12]. An arbitrary base sampler was used to sample with low standard deviation, keeping the memory and time proﬁle low, then convolutions on the Gaussian random variables were used to produce samples from a Gaussian distribution with higher standard deviation. The result was a signiﬁcant reduction in the memory required to sample the same distribution with just the base sampler, with no additional performance cost. Importantly, given a constanttime base sampler operating at smaller standard deviation, the aggregate method for large standard deviation is constanttime. The MicciancioWalter paper boasts a timememory trade oﬀ similar to that of Buchmann et al.’s Ziggurat sampler [13]. The former outperforms the latter as an eﬃcient sampler, but the latter has a memory proﬁle better suited to constrained devices. It can be seen in the results of [12] that the convolution method’s lowest memory usage is at a point where the Ziggurat has already maximised its increasing performance. The potential performance of the Ziggurat method exceeds that of the CDT, for high sigma, the latter being commonly used as a benchmark. We ported the former to ANSI C using only native 64bit double types, we compared their performances and memory proﬁles, ﬁnding the Ziggurat to be favourable for time and space eﬃciency, for increasing size of inputs and parameters. See Fig. 1 for throughput performance and Table 1 for memory consumption. This comparison is the ﬁrst of its kind, where Buchmann’s Ziggurat has been implemented in ANSI C, free from the overhead of the NTL library and higherlevel C++ constructs, as the CDT and others have been.
Addressing SideChannel Vulnerabilities in the Discrete Ziggurat Sampler
67
The problem with the Ziggurat method is that it is not easy to contain timing leakage from rejection sampling. The alternative is to calculate the exponential function every time. But it is the exponential function, in fact, which causes the most diﬃculty. Both the NTL [14], used in [13], and glibc [15], used in Fig. 1, exponential functions are prone to leakage, the former from early exit of a Taylor series and the latter from proximity to a table lookup value.
Fig. 1. Time taken for preliminary Ziggurat and CDT samplers to sample 1 million Gaussian numbers. These early experiments were done to 64 bit precision using ﬂoating point arithmetic on one processor of an Intel(R) Core(TM) i76700HQ CPU @ 2.60 GHz
Table 1. Memory usage of the 64bit CDT and Ziggurat samplers at σ = 215. Value for Ziggurat is for 64 rectangles, where its performance peaks. Sampler Memory usage (bytes) CDT Ziggurat
1.2
32,778 1,068
Our Contribution
We build on the work of Buchmann et al. [13] by securing the Ziggurat sampler with respect to information leakage through the timing side channel. The algorithms proposed in this paper target schemes which use a large standard deviation on constrained devices.
68
S. Brannigan et al.
– We highlight sidechannel vulnerabilities in the Ziggurat method, not mentioned in the literature, and propose solutions for their mitigation. – The Ziggurat algorithm is redesigned to prevent leakage of information through the timing of operations. – We propose a novel algorithm for evaluating the Gaussian function in constant time. To the best of our knowledge, this is the ﬁrst such constanttime algorithm. – The Gaussian function, and the overall Ziggurat sampler, is a ﬁxedpoint algorithm built from 64bit integers, using no division or ﬂoating point arithmetic, written in ANSI C. – The reference implementation achieves similar performance to the original sampler by Buchmann et al. and, as it is optimised for functionality over eﬃciency, we expect the performance can be further improved upon. – The amount of memory saved by using our algorithm is signiﬁcantly greater than the advantage seen, already, in the original sampler. – We argue that the proposed sampler now has suﬃcient resilience to physical timing attacks to be considered for constrained devices (such as microcontrollers) and hardware implementations not making use of a caching system. The paper is organised as follows. After a preliminary discussion in Sect. 2, Gaussian sampling via the Ziggurat method of [13] is outlined in Sect. 3. The new ﬁxedpoint Ziggurat algorithm is described in Sect. 4, as is the new ﬁxedpoint, constanttime Gaussian function, in Sect. 4.2. We discuss the results of the sampler and the security surrounding the timing of operations in Sect. 5.
2
Preliminaries def
Notation. We use the shorthand {xi }ni=a = {xi i ∈ Z, a ≤ i ≤ n}. When dealing with ﬁxedpoint representations of a number x, we refer to the fractional part as xQ and the integer part as xZ . The same treatment is given to the results of expressions of mixed numbers, where the expression is enclosed in parentheses and subscripted accordingly. The approximate representation of a number y is denoted y¯. Discrete Gaussian Sampling. A discrete Gaussian distribution DZ,σ over Z, having 0 mean and a standard deviation denoted by σ, is deﬁned as ρσ (x) = exp(−x2 /2σ 2 ) for all integers x ∈ Z. the support, β, of DZ,σ is the (possibly inﬁnite) set of all x which can be sampled from it. The support can be superscripted with a + or − to indicate only the positive or negatives subsets of β and a zero subscripted to either the inclusion of 0. √ ∞of these to indicate Considering Sσ = ρσ (Z) = k=−∞ ρσ (k) ≈ 2πσ, the sampling probability for x ∈ Z from the Gaussian distribution DZ,σ is calculated as ρσ (x)/Sσ . For the LBC constructions undertaken in this research, σ is assumed to be ﬁxed and known, hence it suﬃces to sample from Z+ proportional to ρ(x) for all x > 0
Addressing SideChannel Vulnerabilities in the Discrete Ziggurat Sampler
69
and to set ρ(0)/2 for x = 0, where a sign bit is uniformly sampled to output values over Z. Other than the standard deviation, σ, and the mean, c = 0 for brevity, there are two critical parameters used to describe a ﬁnitely computed discrete Gaussian distribution. The ﬁrst is the precision parameter, λ, which governs the statistical distance between the ﬁnitely represented probabilities of the sampled distribution and the theoretical Gaussian distribution with probabilities in R+ . The second is the tailcut parameter, τ , which deﬁnes how much of the Gaussian distribution’s inﬁnite tail can be truncated, for practical considerations. This factor multiplies the σ parameter to give the maximum value which can be sampled, such that β0+ = {x  0 ≤ x ≤ τ σ}. The choice of λ and τ aﬀects the security of LBC schemes, the proofs of which are often based on the theoretical Gaussian distribution. The schemes come with recommendations for these, for a given security level. The parameters λ and τ are not independent of each other. Sampling to λbit precision corresponds to sampling from a distribution whose probabilities diﬀer by, at most, 2−λ . The tail is usually cut oﬀ so as not to include those elements with combined probability mass below 2−λ . By the deﬁnition of the Gaussian function, this element occurs at the same factor, τ , of σ. For 128bit precision, τ = 13, and for 64bit precision, τ = 9.2. x Taylor Series Approximation. The exponential ∞ function, e , expands as a Taylor series evaluated at zero like such, ex = i=0 xi /i!. When the term to be summed is > 63); } UINT32 c t _ i s n o n z e r o _ u 3 2 ( UINT32 x ) { return ( x   x ) > >31; } UINT32 ct_lt_u32 ( UINT32 x , UINT32 y ) { return ( x ^(( x ^ y )(( x  y )^ y ))) > >31; } UINT32 ct_lt_u64 ( UINT64 x , UINT64 y ) { return ( x ^(( x ^ y )(( x  y )^ y ))) > >63; 1
These functions are adapted from https://cryptocoding.net/index.php/Coding rules and have been extended to use multiprecision logic.
Addressing SideChannel Vulnerabilities in the Discrete Ziggurat Sampler
79
} UINT32 ct_lte_u32 ( UINT32 x , UINT32 y ) { return 1 ^ (( y ^(( y ^ x )(( y  x )^ x ))) > >31); } UINT32 ct_lte_f128 ( fix128_t a , fix128_t b ) { return ct_lt_u64 ( a . a1 , b . a1 )  ct_select_64 (0 , (1^ ct_lt_u64 ( b . a0 , a . a0 )) , (1^(( a . a1  b . a1 )( b . a1  a . a1 )) > >63)); } UINT32 ct_neq_u32 ( UINT32 x , UINT32 y ) { return (( x  y )( y  x )) > >63; } UINT32 ct_select_u32 ( UI NT32 a , UINT32 b , UINT32 bit ) { /* 0 = 0 , 1 = 0 xff .... ff */ UINT32 mask =  bit ; UINT32 ret = mask & ( a ^ b ); ret = ret ^ a ; return ret ; } fix256_t ct_select_f256 ( fix256_t a , fix256_t b , UINT64 bit ) { /* 0 = 0 , 1 = 0 xff .... ff */ UINT64 mask =  bit ; fix256_t ret ;
}
ret . a0 ret . a1 ret . a2 ret . a3
= = = =
mask mask mask mask
& & & &
ret . a0 ret . a1 ret . a2 ret . a3 return
= ret . a0 = ret . a1 = ret . a2 = ret . a3 ret ;
( a . a0 ( a . a1 ( a . a2 ( a . a3 ^ ^ ^ ^
^ ^ ^ ^
b . a0 ); b . a1 ); b . a2 ); b . a3 );
a . a0 ; a . a1 ; a . a2 ; a . a3 ;
Listing 1: Constanttime operations to the various precisions required for a 128bit implementation of the Ziggurat sampler.
80
5
S. Brannigan et al.
Results
This section discusses the enhancements to the Ziggurat method provided by our algorithm. In particular, the lowlevel construction of the sampler leads to a signiﬁcant reduction in the memory footprint, as presented in Sect. 5.1, and, as outlined in Sect. 5.2, the sidechannel resilience of our algorithm makes the Ziggurat method, and the range of parameters to which it is suited (i.e. high standard deviation), a more attainable objective for LBC. 5.1
Performance and Validation
The algorithm presented in this paper solves issues involved with sampling from the discrete Gaussian distribution over the integers via the Ziggurat method, with signiﬁcantly better resilience to sidechannel attacks. The sampler retains its eﬃciency, improves upon use of memory resources and is more suitable for application to lowmemory devices and hardware due to the integer arithmetic and lack of division. Section 5.1 shows the performance and memory proﬁles of our proposed sampler, as well as the original Ziggurat and the CDT [17] samplers. We refer to our sampler as Ziggurat O and to the original algorithm, proposed by Buchmann et al. [13], as Ziggurat B. We notice only a slight decrease in performance, accompanied by improvements of orders of magnitude in memory use, especially when code is taken into account (as can be seen by the sizes of executables). It should be noted, however, that the reference implementation was built with functionality in mind, and there is room for optimising the code, see Sect. 4.1. The results show signiﬁcant improvements in the memory consumption of the Ziggurat sampler. It should be noted that the CDT algorithm has been optimised for both eﬃciency and memory, as it is a core component of the Safecrypto library [17]. For example, the full table sizes of the cumulative distribution function for σ = 19600 is a few times the value given here. The table sizes have been decreased using properties of the KullbackLeibler divergence of the Gaussian distribution [18]. The Ziggurat’s memory proﬁle is orders of magnitude better than that of the CDT and its performance is a small factor slower. With algorithmic ideas for increasing performance suggested in Sect. 4.1, alongside lowlevel optimisations already applied to the CDT sampler (e.g. struct packing), we expect the small factor by which the performance drops can be reduced, possibly to the extent of becoming a performance gain (Table 2). For qualitative assurance of functionality, see Fig. 3 which shows the frequency distributions for 108 samples for Buchmann’s sampler and that proposed in this paper. The sampler behaves as expected, producing a discrete Gaussian distribution at high standard deviation.
Addressing SideChannel Vulnerabilities in the Discrete Ziggurat Sampler
81
Table 2. Performance and memory proﬁle of 106 samples at σ = 19600 for our sampler, Ziggurat O, Buchmann et al.’s sampler, Ziggurat B, and the CDT sampler [17]. All measurements were made with a single CPU on an Intel(R) Core(TM) i76700HQ CPU @ 2.60 GHz. Note, the number of rectangles was 64. Sampler
Time (ms for 106 samples)
Stack and heap allocations (Max) (B)
Size of executable (B)
Ziggurat O 1,102
1,200
27,376
Ziggurat B 1,012
123,000
2,036,608
5,961,000
45,576
CDT
320
Fig. 3. Histograms obtained from 108 samples of the two Ziggurat algorithms.
5.2
Side Channel Security
We referred to a possible attack on the unmodiﬁed Ziggurat sampler in Sect. 4.1, where the x = 0 sample is readily obtained by the diﬀerence in timing of the logic in Algorithm 1 in Algorithm 1 to every other sample. It is seemingly not mentioned elsewhere in the literature. Furthermore, most implementations of the exponential function are not constanttime and will perform the approximation over a given, low valued, domain and raise it to a power dependent on how large the initial exponent was. Large lookup tables are often used to achieve high performance and, should the exponent match a member exactly, the worstcase scenario is direct leakage of samples through any timing method. Typical sidechannel protections to timing attacks involve ensuring that operations which depend on secret data are done in constant time. This is, seemingly, impossible for a rejection sampler. For the Ziggurat sampler, limiting to two possible paths from beginning to accept/reject is, hence, the best that can be done. It is important, however, that all elements of the sample space can be found to have been sampled via both accept paths, which is the case for the enhanced Ziggurat. Further to the more general timing attacks, the “Flush, Gauss and Reload” attack [3] is a topic of ongoing research for which the solutions must be tested on the Ziggurat method. This paper presents an attack on the Gaussian samplers
82
S. Brannigan et al.
of the BLISS signature scheme [4], but also provides unique countermeasures for each sampling method. Fitting these countermeasures individually and assessing the impact on performance is beyond the scope of this paper, but the authors of the cache attack have discussed how the Ziggurat’s countermeasures have signiﬁcantly less overhead, in theory, than those of the CDT and Knuth/Yao. The attack can be summarised as follows. Any nonuniformity in the accessing of table elements can lead to cache misses and timing leakage. It requires that the attacker have shared cache space, which is not typical of constrained systems, but also not an impossible situation. The countermeasure for the Ziggurat sampler amounts to ensuring a load operation is called on all rectangle points, regardless of whether they are needed. The data is loaded but not used further in most cases. General solutions also exist to counter this attack. One such solution was proposed by Roy [19], whereby the samples are shuﬄed and the particular samples for which a timing diﬀerence can be made are obscured. An analysis of the shuﬄing method was carried out by Pessl [20] and improvements were made, but research into the eﬀect of these on the performance and memory proﬁle of samplers is, also, ongoing. Despite the uncertainty surrounding this attack, and the performance penalties induced by the suggested solutions, we expect that the sampler proposed in this paper will not be impacted negatively under the imposed constraints of the “Flush, Gauss and Reload” attack. It is suggested by the authors of the paper that the Knuth/Yao and CDT samplers be implemented in constant time to counter the attack. In contrast, the countermeasures for the Ziggurat sampler amount to two more (blind) load operations with every sample, which is both negligible compared to the operations already being performed and signiﬁcantly less expensive than implementing the Ziggurat in constant time. We argue, however, that the sampler is required to be secure against attacks from direct timing measurements of operations, before countermeasures against cache attacks can be facilitated.
6
Conclusion
We proposed a discrete Gaussian sampler using the Ziggurat method, which signiﬁcantly negates its vulnerability to sidechannel cryptanalysis. Our research improves the Ziggurat sampler’s memory consumption by more than a factor of 100 and maintains its eﬃciency under the new security constraints. Compared with the CDT sampler, the Ziggurat is nearly 5,000 times less memoryintensive. A signiﬁcant amount of work has been carried out on making the sampler more portable and lightweight, as well as less reliant on hardware or software features, such as ﬂoatingpoint arithmetic and extended precision integers. The result is a sampler which is notably more suitable for use in industry, for its portability and lack of dependencies, and as a research tool, for its selfcontained implementation of the lowlevel components which make up the entire sampler.
Addressing SideChannel Vulnerabilities in the Discrete Ziggurat Sampler
83
References 1. Peikert, C.: A decade of lattice cryptography. Found. Trends Theor. Comput. Sci. 10(4), 283–424 (2016). https://doi.org/10.1561/0400000074 2. Micciancio, D., Regev, O.: Worstcase to averagecase reductions based on Gaussian measures. In: 45th Annual IEEE Symposium on Foundations of Computer Science, October 2004, pp. 372–381 (2004) 3. Groot Bruinderink, L., H¨ ulsing, A., Lange, T., Yarom, Y.: Flush, gauss, and reload – a cache attack on the BLISS latticebased signature scheme. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 323–345. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662531402 16 4. Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642400414 3 5. Genise, N., Micciancio, D.: Faster Gaussian sampling for trapdoor lattices with arbitrary modulus. Cryptology ePrint Archive, Report 2017/308 (2017). https:// eprint.iacr.org/2017/308 6. Chen, L., et al.: Report on postquantum cryptography. US Department of Commerce, National Institute of Standards and Technology (2016) 7. Hoﬀstein, J., Pipher, J., Whyte, W., Zhang, Z.: pqNTRUSign: update and recent results (2017). https://2017.pqcrypto.org/conference/slides/recentresults/zhang. pdf 8. Zhang, Z., Chen, C., Hoﬀstein, J., Whyte, W.: NTRUEncrypt. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/ projects/postquantumcryptography/round1submissions 9. Le Trieu Phong, T.H., Aono, Y., Moriai, S.: Lotus. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/postquantumcryptography/round1submissions 10. Peikert, C.: An eﬃcient and parallel Gaussian sampler for lattices. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 80–97. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642146237 5 11. Sinha Roy, S., Vercauteren, F., Verbauwhede, I.: High precision discrete gaussian sampling on FPGAs. In: Lange, T., Lauter, K., Lisonˇek, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 383–401. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662434147 19 12. Micciancio, D., Walter, M.: Gaussian sampling over the integers: eﬃcient, generic, constanttime. Technical report 259 (2017). https://eprint.iacr.org/2017/259 13. Buchmann, J., Cabarcas, D., G¨ opfert, F., H¨ ulsing, A., Weiden, P.: Discrete Ziggurat: a timememory tradeoﬀ for sampling from a Gaussian distribution over the integers. In: Lange, T., Lauter, K., Lisonˇek, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 402–417. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662434147 20 14. Shoup, V.: Number theory C++ library (NTL) version 10.3.0 (2003). http://www. shoup.net/ntl 15. GNU: glibc2.7 (2018). https://www.gnu.org/software/libc/ 16. Marsaglia, G., Tsang, W.W.: The ziggurat method for generating random variables. J. Stat. Softw. 5(1), 1–7 (2000). https://www.jstatsoft.org/index.php/jss/article/ view/v005i08
84
S. Brannigan et al.
17. libsafecrypto: WP6 of the SAFEcrypto project  a suite of latticebased cryptographic schemes, July 2018, originaldate: 20171016T14:56:31Z. https://github. com/safecrypto/libsafecrypto 18. P¨ oppelmann, T., Ducas, L., G¨ uneysu, T.: Enhanced latticebased signatures on reconﬁgurable hardware. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 353–370. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662447093 20 19. Roy, S.S., Reparaz, O., Vercauteren, F., Verbauwhede, I.: Compact and side channel secure discrete Gaussian sampling. IACR Cryptology ePrint Archive 2014, 591 (2014) 20. Pessl, P.: Analyzing the shuﬄing sidechannel countermeasure for latticebased signatures. In: Dunkelman, O., Sanadhya, S.K. (eds.) INDOCRYPT 2016. LNCS, vol. 10095, pp. 153–170. Springer, Cham (2016). https://doi.org/10.1007/9783319498904 9
Secure Realization of Lightweight Block Cipher: A Case Study Using GIFT Varsha Satheesh1(B) and Dillibabu Shanmugam2(B) 1
Sri Sivasubramaniya Nadar College of Engineering, Chennai, India varsha98
[email protected] 2 Society for Electronic Transactions and Security, Chennai, India dilliba
[email protected] http://www.ssn.edu.in/, http://www.setsindia.in
Abstract. Lightweight block ciphers are predominately useful in resource constrained InternetofThings(IoT) applications. The security of ciphers is often overthrown by various types of attacks, especially, sidechannel attacks. These attacks make it necessary for us to come up with eﬃcient countermeasure techniques that can revert the eﬀect caused by these attacks. PRESENT inspired block cipher, GIFT is taken for analysis and development of countermeasure. In this paper: Firstly, we have implemented the GIFT algorithm in (Un)rolled fashion for vulnerability analysis. Then cipher key is revealed successfully using correlation power analysis. We proposed various protected implementation proﬁles using Threshold Implementation (TI) and realization techniques carried out on the GIFT algorithm. We believe, the case study widens the choice of levelofsecurity with tradeoﬀ factors for secure realization of the cipher based on application requirement. Keywords: Lightweight block cipher · Sidechannel Threshold Implementation · Internet of Things (IoT) devices
1
Introduction
In recent decades, there has to be no question of doubt whatsoever about the mass deployment of smart electronic devices in our routine lives. These small devices get connected to each other and are used in a wide variety of applications from small light bulbs, toasters, etc. to heart monitoring implants. These embedded devices require cryptographic algorithms for secure transmission of data. The solution for transmitting data securely has been studied for a long time. Since these devices have limited computational capacity, lightweight cryptography ciphers are the best candidates to ensure secure computation and transmission of data in these type of devices. With the widespread presence of embedded devices, security has become a serious issue. The modern adversary can get close to the device, measure the electromagnetic emanation from the device. In some cases, the adversary has even physical access to the device. This adds the c Springer Nature Switzerland AG 2018 A. Chattopadhyay et al. (Eds.): SPACE 2018, LNCS 11348, pp. 85–103, 2018. https://doi.org/10.1007/9783030050726_6
86
V. Satheesh and D. Shanmugam
whole ﬁeld of physical attacks, Implementation attacks to the potential attack scenarios. When a cryptographic algorithm is getting executed, there is information leakage through the sidechannels mostly as diﬀerences in execution time, power or electromagnetic radiations. Attacking these sidechannels to reveal the secret key of the device is referred to as SideChannel analysis attacks. The most notable ones being Simple, Diﬀerential and Correlation Power Analysis. The Diﬀerential Power Analysis (DPA) attack, a subset of SCA captures the power output from a microprocessor performing the encryption algorithm and analyzes the information to reveal the secret key [8]. Subsequently, research community explored various possible attack methods, say, [1,4,6]. Over the years, side channel analysis attack description is categorized into four parts, type of leakage (Power or Electromagnetic emanation), target function attack model(Hamming weight, hamming distance), statistical distinguisher(Diﬀerence of means, correlation or entropy), key candidate selection(key rank enumeration). In general, unprotected implementation of ciphers are vulnerable against these attacks. However, vulnerability analyses help us to identify the weak components of the cipher against side channel attacks, and also minimal attack complexity required for the attack. Furthermore, enable us to come up with diﬀerent and eﬃcacious countermeasures. On onehand these countermeasures focus on changing the ephemeral key regularly, thereby limiting the number of power traces required to reveal key from the cryptographic device. On the otherhand they decrease the signaltonoise ratio to make the correlation invisible. This approach provides provable or high security under some leakage conditions even many number of traces were to be analyzed. Threshold Implementation (TI) was proposed by Nikova [14,15], arrived based on secret sharing [3,18], threshold cryptography [5] and multiparty computation protocols [21]. This is basically splitting the state, speciﬁcally the nonlinear component of the block cipher into several shares by using some random variables. This division is done in a way that combining all the shares will recover the original value and combining all except one will not reveal any information. The degree of SBox, say d, decides the number of secret shares such that s ≥ d + 1. TI mainly relies on three properties, namely correctness, noncompleteness, uniformity of the shared functions. It can be a challenging task to implement TI when nonlinear functions, such as the Sboxes of symmetric key algorithms, are considered. Satisfying all the properties can be imposed by using extra randomness or by increasing the number of shares. Both of these solutions imply an increase of resources required by TI. Eﬃcient way of realizing TI for lightweight cipher and a formula for estimating shared TI Sbox were presented in [16,17]. Threshold Implementation of 4bit SBoxes is proposed in [9]. The countermeasure is provably secure countermeasure against ﬁrst order attacks. Later, TI also found to be vulnerable against speciﬁc types of attack [11,20]. To an extent circuits can be protected from attacks using various implementation techniques. One such technique called unrolled implementation explored on crypto primitivity by Bhasin et al. [2] acts as a countermeasure(resistant)
Secure Realization of Lightweight Block Cipher
87
against side channel attack and hinders the adversary to exploit the leakage even after applying the conventional power models. Later in 2015, [22] showed side channel attack on unrolled implementation of various design constraints provided by Electronic Design Automation tools. In this attack, the author used Welch’s ttest to identify the functional moment of target circuit and normalized the timing between intermediate values. In 2016, the author of [13,19] was able to recover the key completely using side channel attack. Many countermeasures techniques have been developed and explored over the years. However, attacker comeup with diﬀerent techniques to counteract those countermeasures. Though TI is provably secure, experimental study has to be explored against higherorder side channel attacks. As a result, algorithm designers are forced to consider various aspects while designing a cipher such as implementation vulnerability, tradeoﬀ parameters and ofcourse the security analysis of the cipher. In this paper, we explored various implementation proﬁles by combining TI and unrolled implementation on the GIFT cipher to increase the attack complexity. We believe these proﬁles widens the choice of levelofsecurity and its tradeoﬀ based on the application requirement for constrained, conventional and crypto accelerator devices. The contributions of this paper is twofold: – We ﬁrst performed the DPA attack on the GIFT encryption algorithm in the round based fashion. Then we implemented the GIFT cipher in an Unrolled manner and performed the DPA attack analysis before applying the Threshold Implementation countermeasure to it. – The countermeasure is commonly applied to the non linear operation of the algorithm, in this case, it being the SBox. It was found that applying the countermeasure to the ﬁrst four and last four rounds of the algorithm could provide suﬃcient security against malicious attacks. Protected implementation proﬁles are created based on various combination of implementation techniques such as Rolled, Unrolled and Partially unrolled with TI on the ﬁrst and last four rounds of the cipher. Organization of the Paper. We share implementation details of cipher, GIFT in Sect. 2. We explained, how the implementation is vulnerable against DPA in Sect. 3. In Sect. 4, implementation proﬁles are proposed by combining of TI and unrolled and its security against SCA has been studied. Finally, in Sect. 5, the paper is concluded.
2
Implementation Details of GIFT
GIFT is an substitutionpermutation network(SPN) based cipher. Its design is strongly inﬂuenced by the cipher PRESENT. It has two versions GIFT64128: 28 rounds with a block size of 64bits and GIFT128128: 40 rounds with 128bit blocks. Both the versions have 128bit keys. For this work, we focus only on GIFT64128 version.
88
V. Satheesh and D. Shanmugam
Initialization: The cipher state, S is ﬁrst initialized from the 64bit plaintext represented as 16 nibbles of 4bit represented as W15 , . . . W1 , W0 . The 128bit key is divided into 16bit words K7 , K6 , . . . , K0 and is used to initialize the key register K. Round Function: Each round of the cipher comprises of a Substitution Layer (Slayer) followed by a Permutation Layer (PLayer) and a XOR with the roundkey and predeﬁned constants(AddRoundKey). Slayer (S): Apply the same Sbox to each of the 4bit nibbles of the state S. The truthtable for the SBox is shown Table 1. Table 1. GIFT SBox x
0 1 2 3 4 5 6 7 8 9 a b c d e f
S(x) 1 a 4 c 6 f 3 9 2 d b 7 5 0 8 e
PLayer (P): This operation permutes the bits of the cipher state S from position i to P(i). The permutation Table 2 is shown below. Table 2. GIFT PLayer i P(i) i P(i) i P(i) i
0
1
2
3
4
0 17 34 51 48
5
6
7
8
9 10 11 12 13 14 15
1 18 35 32 49
2 19 16 33 50
3
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 4 21 38 55 52
5 22 39 36 53
6 23 20 37 54
7
32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 8 25 42 59 56
9 26 43 40 57 10 27 24 41 58 11
48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63
P(i) 12 29 46 63 60 13 30 47 44 61 14 31 28 45 62 15
AddRoundKey: A 32bit round key(RK) and a 7bit round constant (Rcon) is XORed to a part of the cipher state S in this operation. GIFT Encryption: A single block is processed by the application of a series of round functions. At each round, Slayer, PLayer and AddRoundKey operations are performed on the previous cipher state. After 28 such rounds, the state provides the ciphertext. Implementation Platform and Experiemental SetUp: The ModelSim Quartus Prime Pro was used to verify the functionality of the GIFT encryption algorithm written in verilog using test vector as tabled in 4. The SASEBO
Secure Realization of Lightweight Block Cipher
89
Table 3. FPGA utilization of round based implementation FPGA
Slice LUT GE
GIFT power (W) Frequency (MHz)
VirtexXC2VP7
254
331
2358 1.920
262
KintexXC7K16T1BG676 270
261
2438 1.352
490
G Board with two Xilinx VirtexII Pro FPGA devices, xc2vp7 and xc2vp30, one of which was used for the cryptographic circuits, while the other was used for the RS232 serial interface. Also, round based implementation was targeted on the XC7K160T1BG676 chip. FPGA utilization is given Table 3. Oscilloscope(MS07104b) is used to measure the power consumption with help of BNC and trigger probe during execution of the algorithm. Matlab tool is used to analysis. Table 4. Test vector of round based implementation Key
FEDCBA9876543210FEDCBA9876543210 BD91731EB6BC2713A1F9F6FFC75044E7
Plaintext FEDCBA9876543210
C450C7727A9B8A7D
Ciphertex C1B71F66160FF587
E3272885FA94BA8B
3 3.1
Implementation Vulnerability Analysis DPA on (Un)Rolled Based Implementation of GIFT
A DPA attack consists of following ﬁve steps [10]: – – – –
Identify an intermediate points of interest of the executed algorithm. Capture the power consumption. Arrive hypothetical intermediate values. Estimate hypothetical power consumption values, (Phyp ) from hypothesis intermediate values. – Statistically correlate the hypothetical power values with the measured power traces.
The ﬁve steps are applied to GIFT (Un)rolled implementation to retrieve 128bit key. The details are as follows: Step 1: Point of Interest (PoI) Many ways are there arrive at PoI for GIFT based on the implementation techniques. In general round and unrolled based implementation are used in practice. In round(rolled) based implementation, PoI is register. Which is updated by each round function output of the cipher as shown in the Fig. 1(a). Attack phases of round based implementation is given Fig. 1(b). In unrolled based implementation, PoI is functional derivatives of the algorithm, computed ontheﬂy on
90
V. Satheesh and D. Shanmugam
(a) GIFT rolled implementation
(b) Attack phases of GIFT round based implementation
Fig. 1. GIFT round based implementation and attack details
wires. PoI for GIFT unrolled implementation is analyzed in two cases, linear and nonlinear functions as described below. Case 1: Attacking linear function. In GIFT, Sbox is the nonlinear function, but there are no key bits involved in this operation for the ﬁrst round. Hence, it would make no sense to attack the Sbox layer. Key is XORed with the output of PLayer function. Therefore from DPA perspective PoI is AddRoundKey. The output of the ﬁrst round AddRoundKey, P OI1 , is inﬂuenced by 32 key bits. Hence, 32 bits of key can be retrieved in the ﬁrst round. The outputs of the AddRoundKey layer has to be attacked four times at ﬁrst or last four rounds. Thus the GIFT requires four PoI to retrieve 128 bit key completely as shown in Fig. 2.
Fig. 2. GIFT linear function attack phases
Case 2: Attacking nonlinear function, the SBox operation: First round SBox is not inﬂuenced by 32 key bits, it is only dissolved from the second round SBox. Therefore attacking second round SBox makes sense and provides 2 key bits guess per SBox. By expanding to 16 chunks of SBox, 32 key bits can be guessed. Similarly, second, third and fourth round keys are inﬂuenced by third, fourth and ﬁfth round SBox functions respectively. On attacking subsequent rounds of Sbox at four diﬀerent PoI as shown in Fig. 3, we were able to retrieve 128 bit key completely. Thus the GIFT requires four PoI from plaintext or ciphertext side to retrieve 128 key bits for both rolled or unrolled attack as
Secure Realization of Lightweight Block Cipher
91
shown in the Figs. 1(a) and 4 respectively. All 128 key bits are retrieved after four rounds of attack.
Fig. 3. GIFT nonlinear function attack phases
Step 2: Capture power consumption (Pmsd ). Power consumption of both Round and Unrolled based implementation are captured as shown in Fig. 4(a) and (b) respectively. From the Fig. 4(a) round functions are distinguishable whereas for Unrolled implementation power consumption raises abruptly during execution and then comes down as in Fig. 4(b). Voltage points of a power trace are stored in MATLAB matrix format for analysis, Pmsd (i,T), where ’i’ represent ith encryption and ’T’ represent total number of points in a power trace.
(a) GIFT rolled power consumption
(b) GIFT Unrolled power consumption
Fig. 4. GIFT round based implementation and attack details
Step 3: Calculate hypothetical intermediate values. The divide and conquer approach is used for Correlation Power Analysis(CPA) attack. As long as the chunks are small, their attack complexity also reduces signiﬁcantly. Therefore, a chunk of 2bit is taken at a time from POI for analysis. All the possible combination of key values (key search space) for those 2bit with the corresponding bits of plaintext used for encryption are extracted to generate hypothetical
92
V. Satheesh and D. Shanmugam
intermediate value at POI. Hypothetical intermediate value for ﬁrst, M 1ij , second, M 2ij , third, M 3ij and fourth, M 4ij POIs are given in the Eqs. (1), (2), (3) and (4) respectively. M 1ij = P L(S(Pji )) ⊕ K1j,t ⊕ RC1j
(1)
M 2ij = P L(S(P L(S(Pji+1 )) ⊕ K1j,t ⊕ RC1j )) ⊕ K2j,t ⊕ RC2j
(2)
M 3ij = P L(S(P L(S(P L(S(Pji+1 )) ⊕ K1j,t ⊕ RC1j ))
(3)
⊕ K2j,t ⊕ RC2j )) ⊕ K3j,t ⊕ RC3j M 4ij = P L(S(P L(S(P L(S(P L(S(Pji+1 )) ⊕ K1j,t ⊕ RC1j )) ⊕ K2j,t ⊕ RC2j )) ⊕ K3j,t ⊕ RC3j )) ⊕ K4j,t ⊕ RC4j
(4)
where, Pji is denoted as plaintext of j th nibble of ith encryption. j ranges from 0 ≤ j ≤ 15, and K1j,t , K2j,t , K3j,t , K4j,t , t = ranges from 1 to 2. Step 4: Compute hypothetical power consumption In order to arrive at the hypothetical power consumption, the power model should be realistic enough to describe the power consumption between each and every intermediate stages of the algorithm executed in the hardware module. In round based implementation the same register is repeatedly used for storing each round output. This helps to ﬁnd, howmuch power is required for computing a single round function. Conceptually, the number of ﬂipﬂop transition between the ﬁrst and second round on the register reﬂect power consumption of a single round function. Hamming distance (HD) model suits very well to describe the power consumption of round(rolled) GIFT implementation which is basically the, Hamming distance between two round functions. Normally, HD is calculated between two state values of the register. In unrolled implementation there is no concept of register to store and update rounds output value and entire algorithm is executed in a single clock cycle. Therefore power consumption of a speciﬁc function is calculated by observing variation that happen between the present encryption and previous encryption of the cipher at same instances in the wire. Using HD, hypothetical power consumption is arrived for four PoIs as follows, P 1ihyp , P 2ihyp , P 3ihyp , and P 4ihyp , are represented in (5), (6), (7) and (8) respectively. P 1ihyp = HD(M 1ij ⊕ M 1i−1 j )
(5)
M 2i−1 j ) M 3i−1 j ) M 4i−1 j )
(6)
P 2ihyp P 3ihyp P 4ihyp
= = =
HD(M 2ij HD(M 2ij HD(M 4ij
⊕ ⊕ ⊕
(7) (8)
i denotes the power consumption of ith encryption Phyp Step 5: Correlation between measured (Pmsd ) and hypothetical (Phyp ) power consumption. Pearson’s Correlation coeﬃcient is used to correlate measured power consumption and hypothetical power consumption. Each
Secure Realization of Lightweight Block Cipher
93
column of the Pmsd is correlated with each column of the Phyp to obtain rank matrix. The rank matrix shows the correct key guess with highest correlation value. n i=1 (Pmsd,i − Pmsd,i )(Phyp − Phyp ) (9) r(i, j) = n n 2 2 (P − P ) msd,i msd i=1 i=1 (Phyp,i − Phyp ) Here, i and j represent ith row and j th column of the corresponding power consumption matrix. 3.2
Attack Description
In this section, the attack is explored in four phases as shown in the Fig. 1. In the ﬁrst phase attack, the plaintext is correlated with the ﬁrst round output to decipher the key bit positions[31 to 0] as represented in test vector Table 4. Phase 1 attack at PoI(M1): After a single round, the intermediate value is updated in the register by overwriting plaintext value. Let us consider an example with MSB four bits of plaintext, [P63, P62, P61, P60]. First, Sbox randomly changes the value, say, [S63, S62, S61, S60]. Then permutation is performed, that is, [S63, S62, S61, S60] bits are changed with the corresponding bits [S51, S62, S57, S52]. HD = HW [(P 63, P 62, P 61, P 60)⊕ (1⊕ S51, S62, S57⊕ K31, S52⊕ K15)] (10) In the Add Round key operation, 1 is XORed with S51, S62 remains as it is, S57 and S52 bits are XORed with key bits K31 and K15 respectively. Finally, these [1 ⊕ S51, S62, S57 ⊕ K31, S52 ⊕ K15] bits replace MSB four bits of plaintext, [P63, P62, P61, P60] in the register as highlighted in yellow color in Fig. 5. Therefore, the power consumption for four bits can be computed by calculating Hamming distance(HD) between MSB four bits of plaintext and MSB four bits of ﬁrst round output, that is, as in Eq. 10, where K31 and K15 bits are unknown, whereas all other bits are known or can be derived from plaintext or ciphertext. By doing hypothesis for the two bits and correlating with captured power traces, the two key bits K31 and K15 would be revealed as shown in Fig. 6. In Fig. 6(a) signiﬁcant peak shows at index one, hence key value in binary is “00”, meaning K31 = 0 and K15 = 0. Minimum number of powertraces required are 25,000 thousand to reveal key bits as depicted in Fig. 6(b). In a similar way, the remaining 15 chunks of 4bit data can be correlated to obtain 30 key bits. Hence, the ﬁrst round attack can fetch 32 key bits. The correlation of the plaintext bits with the ﬁrst round output bits and the corresponding retrieval of the key bits can be inferred from the hypothetical power model for GIFT that has been derived and given in Appendix A, Table 6. In the second phase attack, the ﬁrst round output is correlated with the second round output to decipher the [63:32] key bit positions using guessed key bits K[31 to 0].
94
V. Satheesh and D. Shanmugam
Fig. 5. Round function and its bits position for MSB four bits (Color ﬁgure online)
(a) MSB two key bits guess, K31, K15
(b) Correlation vs No.of.powertraces
Fig. 6. Phase 1 attack of GIFT
Phase 2 attack at PoI(M2): A similar approach as described in phase 1, is followed to decipher the 32 key bits so that at the end of two rounds, there would have been 64 bits out of the total 128 key bits retrieved as given in Appendix A, Table 7. In the third and fourth phase of attack, remaining 64 bits were retrieved as given in Appendix A, Table 8 and 9 respectively. 3.3
Attack Complexity
In generally, attack complexity refers to keyhypothesis required to guess the secret key. In GIFT, 2bit key hypothesis is required to reveal two bits of the key using correlation. Therefore, the attack complexity to retrieve two bits is 22 . After the ﬁrst round correlation, there are 32 bits of the key deciphered. Therefore, the attack complexity for 16 such 2bit keys would be 64. We mounted a similar attack on the second, third and fourth rounds respectively to reveal the remaining 96 key bits. We found that, to decipher 32 key bits, there is an attack complexity of 64. In order to retrieve all the 128 key bits, the attack complexity would be equal to 4 ∗ 64 which equals 256. Using described process in Sect. 3.1 attack on unrolled implementation is explored successfully to retrieve the key. Therefore, the overall Attack Complexity to retrieve all the key bits equals 28 as given in Appendix A.
Secure Realization of Lightweight Block Cipher
4
95
Countermeasures: Threshold Implementation for GIFT
We implemented the following proﬁles by applying TI on ﬁrst and last four rounds of GIFT with Rolled, Partially Unrolled and Unrolled fashions. 1. 2. 3. 4. 5.
Round based implementation with TI on speciﬁc rounds Partially unrolled cum TI Partially unrolled cum TI on speciﬁc rounds Unrolled cum TI Unrolled cum TI on speciﬁc rounds.
The following factors are important to arrive eﬃcient TI implementation of a cipher, namely, properties of TI, algebraic degree of Sbox, feasibility of Sbox decomposition and number of shares adopted for the implementation. Three basic properties, Correctness, Noncompleteness and Uniformity should be satisﬁed for TI realization. Predominantly, algebraic degree of Sbox(d) decides number of shares(S) for the implementation(S ≥ d + 1). In case of GIFT, algebraic degree of Sbox(d) is 3, so need 4 shares(4 ≥ 3+1). As number of shares increase area utilization also increases, therefore, feasibility study of Sbox decomposition is important, which will decompose a cubic functions into two quadratic functions. The realization of a quadratic function can be done using three shares, thereby area will be reduced. The decomposed Sbox quadratic functions belongs to quadratic class represented in the paper [7] is taken for our analysis. 1. Round based implementation with TI on specific rounds From Sect. 3.1 it is clear that, to retrieve 128 keybits attacking vulnerable PoIs at ﬁrst four rounds or last four rounds is enough. Therefore, applying TI countermeasure solution only on those rounds makes sense. Implementation details are shown in the Fig. 7 with metric Table 5.
Fig. 7. GIFT round based implementation with TI on speciﬁc rounds
This will increase attack complexity from 22 to 26 for every two key bits. Hence, for 128 key bits attack complexity is 26 ∗ 64. Moreover, power consumption of the device will be reduced during the execution of middle rounds. FPGA utilization are shared in the Table 5. 2. Partially unrolled cum TI First four rounds or last four rounds are vulnerable against side channels. It is evident from [12], that, single countermeasure technique is not enough to thwart the attack. Here the idea is to combine two solutions in an eﬃcient
96
V. Satheesh and D. Shanmugam
way, which will increase the attack complexity and also resource tradeoﬀ can be achieved based on the security requirement. As four rounds are vulnerable, unrolled implementation with TI is adopted for every four rounds, meaning 28 rounds of the cipher is executed in seven clock cycles. Implementation architecture is shown in the Fig. 8.
Fig. 8. GIFT partially unrolled cum TI
Parametric metrics for the implementation are shared in the Table 5. Now the eﬀort to attack the implementation is two fold. Firstly, a large number of powertraces is required to attack the unrolled implementation. Secondly, additional key hypothesis factors have to be considered because of masking. This will deﬁnitely increase the complexity. 3. Partially unrolled cum TI on specific rounds In this proﬁle, ﬁrst four rounds and last four rounds are implemented in unrolled manner with TI. The proﬁle is subclassiﬁed into three cases based on middle rounds realization as shown in Fig. 9 to understand utilization of various implementation styles as follows: (a) Rounds 5 to 24 are implemented in rolled fashion. Meaning, ﬁrst and last four rounds are executed in each one cycle, remaining middle 20 rounds are execute in 20 clock cycles. Totally 22 clock cycle are required for the cipher realization.
Fig. 9. GIFT partial unrolled cum TI on speciﬁc rounds
Secure Realization of Lightweight Block Cipher
97
(b) Rounds 5 to 24 are realized in partially unrolled manner. Middle 20 rounds takes 5 clock cycles for realization. Finally, seven clock cycle are required for the cipher execution. (c) Rounds 5 to 24 are realized in unrolled way. So, ﬁrst and last four rounds are executed in each one cycle, remaining middle 20 rounds are execute in single clock cycle. Totally 3 clock cycle are required for the cipher realization. This kind of implementation suitable for resource constrained and conventional crypto devices. 4. Unrolled cum TI Enter cipher is executed in a single cycle with TI protection on all the rounds of the cipher. Though it makes use of more hardware resources, it provides high security and low latency cipher during execution. Implementation details and hardware utilization are given in Fig. 10 and Table 5 respectively.
Fig. 10. GIFT unrolled cum TI
5. Unrolled cum TI on specific rounds In this proﬁle, the enter cipher is executed in a single cycle with TI protection on ﬁrst and last four rounds of the cipher. Implementation details Fig. 11, architecture Fig. 13 and hardware details are given in the Table 5.
Fig. 11. GIFT unrolled cum TI on speciﬁc rounds
We further narrowed down this approach by applying this TI countermeasure to only those equations of the nonlinear component that is inﬂuenced by the key bits. This will provide the same degree of security as by applying to all the equations. The proﬁle 4 and 5 are suitable for high end resource constrained devices, conventional devices and to an extent the protection techniques can also be adopted for crypto accelerator devices. In our TI implementation, the intermediate register is not used between G and F functions. As a result, the circuit may be prone to glitches, but the functionality will not aﬀected. Also, it was concluded that employing the TI countermeasures to only those equations of the Sbox aﬀected
98
V. Satheesh and D. Shanmugam Table 5. GIFT implementation proﬁles: performance metrics Proﬁles
Slices 4LUT Slice FF Frequency (MHz) Clock cycles
Proﬁle 1
1147
2060
792
155
28
Proﬁle 2
3416
5456
751
55
7
Proﬁle 3.a 2442
4538
789
66
22
Proﬁle 3.b 2416
4456
551
64
7
Proﬁle 3.c 4482
8412
571
34
3
Proﬁle 4
4918
9374
479
22
1
Proﬁle 5
3894
7246
260
20
1
Round Unrolled
254
331
370
262
28
1638
2969
205
35
1
by the key bits provides the same degree of security as employing it to all the equations of the SBox. This kind of approach tends to reduce the tediousness and complexity of the experiment. We evaluated side channel leakage against the proﬁle, GIFT Partial Unrolled Cum TI on speciﬁc rounds using Test Vector Leakage Assessment(TVLA) as shown in Fig. 12(a) and (b) found secure upto 1 Million traces. Similarly for all the proﬁle resistant were evaluated using TVLA.
(a) Leakage evaluation at first round output,(b) Leakage evaluation of first round(in/out) on most significant nibble 60th bit
Fig. 12. TVLA: GIFT partially unrolled cum TI
5
Conclusion
While implementations of cryptographic algorithms in pervasive devices face serious area and power constraints, their resistance against physical attacks has to be taken into account. Unfortunately, nearly all sidechannel countermeasures
Secure Realization of Lightweight Block Cipher
99
introduce power and area overheads which are proportional to the values of the unprotected implementation. Therefore, this fact prohibits the implementation of a wide range of proposed countermeasures and also limits possible cipher candidates for ubiquitous computing applications. In this paper, we successfully mounted a Correlation Power Analysis attack on two kinds of GIFT implementation, namely Round based and Unrolled manner. We also applied Threshold Implementation as a countermeasure on the ﬁrst four and last four rounds of the GIFT cipher with rolled, unrolled and partially unrolled implementation techniques. In the future, we plan to explore Orthogonal Direct Sum Masking techniques with these proﬁles to reduce glitches and fault attacks. Acknowledgments. I would like to thank the Executive Director of Society for Electronic Transactions and Society (SETS), Dr. N Sarat Chandra Babu for providing the internship opportunity in hardware security research. We would also like to thank Associate Professor, Thomas Peyrin of Nanyang Technological University (NTU) for sharing the Gift cipher test vectors and anonymous reviewers for their useful comments.
A
Appendix
Attack Phases of GIFT. Table 6. Attack phase 1 of GIFT Plaintext bits After AddRoundkey bits PT[63,62,61,60] ARK[51,62,57,52] PT[59,58,57,56] ARK[35,46,41,36] PT[55,54,53,52] ARK[19,30,25,20] PT[51,50,49,48] ARK[3,14,9,4] PT[47,46,45,44] ARK[55,50,61,56] PT[43,42,41,40] ARK[39,34,45,40] PT[39,38,37,36] ARK[23,18,29,24] PT[35,34,33,32] ARK[7,2,13,8] PT[31,30,29,28] ARK[59,54,49,60] PT[27,26,25,24] ARK[43,38,33,44] PT[23,22,21,20] ARK[27,22,17,28] PT[19,18,17,16] ARK[11,6,1,2] PT[15,14,13,12] ARK[53,58,53,48] PT[11,10,9,8] ARK[47,42,37,32] PT[7,6,5,4] ARK[31,26,21,16] PT[3,2,1,0] ARK[15,10,5,0]
Keybits Complexity K[31],K[15] 4 K[30],K[14] 4 K[29],K[13] 4 K[28],K[12] 4 K[27],K[11] 4 K[26],K[10] 4 K[25],K[9] 4 K[24],K[8] 4 K[23],K[7] 4 K[22],K[6] 4 K[21],K[5] 4 K[20],K[4] 4 K[19],K[3] 4 K[18],K[2] 4 K[17],K[1] 4 K[16],K[0] 4
Hence overall attack complexity is 4 ∗ 64 is 256. Architecture of GIFT Unrolled Cum TI on Specific Rounds
100
V. Satheesh and D. Shanmugam
Table 7. Attack phase 2 of GIFT Plaintext bits AddRoundkey bits P T [51, 62, 57 ⊕ k[31], 52 ⊕ k[15]] ARK[3, 62, 41 ⊕ k[30] ⊕ k[63], 20 ⊕ k[13] ⊕ k[47]] P T [35, 46, 41 ⊕ k[30], 36 ⊕ k[14]] ARK[7, 50, 45 ⊕ k[26] ⊕ k[62], 24 ⊕ k[9] ⊕ k[46]] P T [19, 30, 25 ⊕ k[29], 20 ⊕ k[13]] ARK[11, 54, 33 ⊕ k[22] ⊕ k[61], 28 ⊕ k[5] ⊕ k[45]] P T [3, 14, 9 ⊕ k[28], 4 ⊕ k[12]] ARK[15, 5837 ⊕ k[18] ⊕ k[60], 16 ⊕ k[1] ⊕ k[44]] P T [55, 50, 61 ⊕ k[27], 56 ⊕ k[11]] ARK[19, 14, 57 ⊕ k[31] ⊕ k[59], 36 ⊕ k[14] ⊕ k[43]] P T [39, 34, 45 ⊕ k[26], 40 ⊕ k[10]] ARK[23, 2, 61 ⊕ k[27] ⊕ k[58], 40 ⊕ k[10] ⊕ k[42]] P T [23, 18, 29 ⊕ k[25], 24 ⊕ k[9]] ARK[27, 6, 49 ⊕ k[23] ⊕ k[57], 44 ⊕ k[6] ⊕ k[41]] P T [7, 2, 13 ⊕ k[24], 8 ⊕ k[8]] ARK[31, 10, 53 ⊕ k[19] ⊕ k[56], 32 ⊕ k[2] ⊕ k[40]] P T [59, 54, 49 ⊕ k[23], 60 ⊕ k[7]] ARK[35, 30, 9 ⊕ k[28] ⊕ k[55], 52 ⊕ k[15] ⊕ k[39]] P T [43, 38, 33 ⊕ k[22], 44 ⊕ k[6]] ARK[39, 18, 13 ⊕ k[24] ⊕ k[54], 56 ⊕ k[11] ⊕ k[38]] P T [27, 22, 17 ⊕ k[21], 28 ⊕ k[5]] ARK[43, 22, 1 ⊕ k[20] ⊕ k[53], 60 ⊕ k[7] ⊕ k[37]] P T [11, 6, 1 ⊕ k[20], 12 ⊕ k[4]] ARK[47, 26, 5 ⊕ k[16] ⊕ k[52], 48 ⊕ k[3] ⊕ k[36]] P T [63, 58, 53 ⊕ k[19], 48 ⊕ k[3]] ARK[51, 46, 25 ⊕ k[29] ⊕ k[51], 4 ⊕ k[12] ⊕ k[35]] P T [47, 42, 37 ⊕ k[18], 32 ⊕ k[2]] ARK[55, 34, 29 ⊕ k[25] ⊕ k[50], 8 ⊕ k[8] ⊕ k[34]] P T [31, 26, 21 ⊕ k[17], 16 ⊕ k[1]] ARK[59, 38, 17 ⊕ k[21] ⊕ k[49], 12 ⊕ k[4] ⊕ k[33]] P T [15, 10, 5 ⊕ k[16], 0 ⊕ k[0]] ARK[63, 42, 21 ⊕ k[17] ⊕ k[48], 0 ⊕ k[0] ⊕ k[32]]
Keybits Complexity K[63],K[47] 4 K[62],K[46] 4 K[61],K[45] 4 K[60],K[44] 4 K[59],K[43] 4 K[58],K[42] 4 K[57],K[41] 4 K[56],K[40] 4 K[55],K[39] 4 K[54],K[38] 4 K[53],K[37] 4 K[52],K[36] 4 K[51],K[35] 4 K[50],K[34] 4 K[49],K[33] 4 K[48],K[32] 4
Table 8. Attack phase 3 of GIFT Plaintext bits
AddRoundkey bits
Keybits
Complexity
P T [3, 62, 41 ⊕ k[63], 20 ⊕ k[47]] P T [7, 50, 45 ⊕ k[62], 24 ⊕ k[46]] P T [11, 54, 33 ⊕ k[61], 28 ⊕ k[45]] P T [15, 58, 37 ⊕ k[60], 16 ⊕ k[44]] P T [19, 14, 57 ⊕ k[59], 36 ⊕ k[43]] P T [23, 2, 61 ⊕ k[58], 40 ⊕ k[42]] P T [27, 6, 49 ⊕ k[57], 44 ⊕ k[41]] P T [31, 10, 53 ⊕ k[56], 32 ⊕ k[40]] P T [35, 30, 9 ⊕ k[55], 52 ⊕ k[39]] P T [39, 18, 13 ⊕ k[54], 56 ⊕ k[38]] P T [43, 22, 1 ⊕ k[53], 60 ⊕ k[37]] P T [47, 26, 5 ⊕ k[52], 48 ⊕ k[36]] P T [51, 46, 25 ⊕ k[51], 4 ⊕ k[35]] P T [55, 34, 29 ⊕ k[50], 8 ⊕ k[34]] P T [59, 38, 17 ⊕ k[49], 12 ⊕ k[33]] P T [63, 42, 21 ⊕ k[48], 0 ⊕ k[32]]
ARK[15, 62, 45 ⊕ k[62] ⊕ k[95], 28 ⊕ k[45] ⊕ k[79]] ARK[31, 14, 61 ⊕ k[58] ⊕ k[94], 44 ⊕ k[41] ⊕ k[78]] ARK[47, 30, 13 ⊕ k[54] ⊕ k[93], 60 ⊕ k[37] ⊕ k[77]] ARK[63, 46, 29 ⊕ k[50] ⊕ k[92], 12 ⊕ k[33] ⊕ k[76]] ARK[11, 58, 41 ⊕ k[63] ⊕ k[91], 24 ⊕ k[46] ⊕ k[75]] ARK[27, 10, 57 ⊕ k[59] ⊕ k[90], 40 ⊕ k[42] ⊕ k[74]] ARK[43, 26, 9 ⊕ k[55] ⊕ k[89], 56 ⊕ k[38] ⊕ k[73]] ARK[59, 42, 25 ⊕ k[51] ⊕ k[88], 8 ⊕ k[34] ⊕ k[72]] ARK[7, 54, 37 ⊕ k[60] ⊕ k[87], 20 ⊕ k[47] ⊕ k[71]] ARK[23, 6, 53 ⊕ k[56] ⊕ k[86], 36 ⊕ k[43] ⊕ k[70]] ARK[39, 22, 5 ⊕ k[52] ⊕ k[85], 52 ⊕ k[39] ⊕ k[69]] ARK[55, 38, 21 ⊕ k[48] ⊕ k[84], 4 ⊕ k[35] ⊕ k[68]] ARK[3, 50, 33 ⊕ k[61] ⊕ k[83], 16 ⊕ k[44] ⊕ k[67]] ARK[19, 2, 49 ⊕ k[57] ⊕ k[82], 32 ⊕ k[40] ⊕ k[66]] ARK[35, 18, 1 ⊕ k[53] ⊕ k[81], 48 ⊕ k[36] ⊕ k[65]] ARK[51, 34, 17 ⊕ k[49] ⊕ k[80], 0 ⊕ k[32] ⊕ k[64]]
K[95],K[79] K[94],K[78] K[93],K[77] K[92],K[76] K[91],K[75] K[90],K[74] K[89],K[73] K[88],K[72] K[87],K[71] K[86],K[70] K[85],K[69] K[84],K[68] K[83],K[67] K[82],K[66] K[81],K[65] K[80],K[64]
4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
Table 9. Phase 4 of GIFT Plaintext bits
AddRoundkey bits
Keybits
Complexity
P T [15, 62, 45 ⊕ k[62] ⊕ k[95], 28 ⊕ k[45] ⊕ k[79]] P T [31, 14, 61 ⊕ k[58] ⊕ k[94], 44 ⊕ k[41] ⊕ k[78]] P T [47, 30, 13 ⊕ k[54] ⊕ k[93], 60 ⊕ k[37] ⊕ k[77]] P T [63, 46, 29 ⊕ k[50] ⊕ k[92], 12 ⊕ k[33] ⊕ k[76]] P T [11, 58, 41 ⊕ k[63] ⊕ k[91], 24 ⊕ k[46] ⊕ k[75]] P T [27, 10, 57 ⊕ k[59] ⊕ k[90], 40 ⊕ k[42] ⊕ k[74]] P T [43, 26, 9 ⊕ k[55] ⊕ k[89], 56 ⊕ k[38] ⊕ k[73]] P T [59, 42, 25 ⊕ k[51] ⊕ k[88], 8 ⊕ k[34] ⊕ k[72]] P T [7, 54, 37 ⊕ k[60] ⊕ k[87], 20 ⊕ k[47] ⊕ k[71]] P T [23, 6, 53 ⊕ k[56] ⊕ k[86], 36 ⊕ k[43] ⊕ k[70]] P T [39, 22, 5 ⊕ k[52] ⊕ k[85], 52 ⊕ k[39] ⊕ k[69]] P T [55, 38, 21 ⊕ k[48] ⊕ k[84], 4 ⊕ k[35] ⊕ k[68]] P T [3, 50, 33 ⊕ k[61] ⊕ k[83], 16 ⊕ k[44] ⊕ k[67]] P T [19, 2, 49 ⊕ k[57] ⊕ k[82], 32 ⊕ k[40] ⊕ k[66]] P T [35, 18, 1 ⊕ k[53] ⊕ k[81], 48 ⊕ k[36] ⊕ k[65]] P T [51, 34, 17 ⊕ k[49] ⊕ k[80], 0 ⊕ k[32] ⊕ k[64]]
ARK[63, 62, 61 ⊕ k[58] ⊕ k[94] ⊕ k[127], 60 ⊕ k[37] ⊕ k[77] ⊕ k[111]] ARK[59, 58, 57 ⊕ k[59] ⊕ k[90] ⊕ k[126], 56 ⊕ k[38] ⊕ k[73] ⊕ k[110]] ARK[55, 54, 53 ⊕ k[56] ⊕ k[86] ⊕ k[125], 52 ⊕ k[39] ⊕ k[69] ⊕ k[109]] ARK[51, 50, 49 ⊕ k[57] ⊕ k[82] ⊕ k[124], 48 ⊕ k[36] ⊕ k[65] ⊕ k[108]] ARK[47, 46, 45 ⊕ k[62] ⊕ k[95] ⊕ k[123], 44 ⊕ k[41] ⊕ k[78] ⊕ k[107]] ARK[43, 42, 41 ⊕ k[63] ⊕ k[91] ⊕ k[122], 40 ⊕ k[42] ⊕ k[74] ⊕ k[106]] ARK[39, 38, 37 ⊕ k[60] ⊕ k[87] ⊕ k[121], 36 ⊕ k[43] ⊕ k[70] ⊕ k[105]] ARK[35, 34, 33 ⊕ k[61] ⊕ k[83] ⊕ k[120], 32 ⊕ k[40] ⊕ k[66] ⊕ k[104]] ARK[31, 30, 29 ⊕ k[50] ⊕ k[92] ⊕ k[119], 28 ⊕ k[45] ⊕ k[79] ⊕ k[103]] ARK[27, 26, 25 ⊕ k[51] ⊕ k[88] ⊕ k[118], 24 ⊕ k[46] ⊕ k[75] ⊕ k[102]] ARK[23, 22, 21 ⊕ k[48] ⊕ k[84] ⊕ k[117], 20 ⊕ k[47] ⊕ k[71] ⊕ k[101]] ARK[19, 18, 17 ⊕ k[49] ⊕ k[80] ⊕ k[116], 16 ⊕ k[44] ⊕ k[67] ⊕ k[100]] ARK[15, 14, 13 ⊕ k[54] ⊕ k[93] ⊕ k[115], 12 ⊕ k[33] ⊕ k[76] ⊕ k[99]] ARK[11, 10, 9 ⊕ k[55] ⊕ k[89] ⊕ k[114], 8 ⊕ k[34] ⊕ k[72] ⊕ k[98]] ARK[7, 6, 5 ⊕ k[52] ⊕ k[85] ⊕ k[113], 4 ⊕ k[35] ⊕ k[68] ⊕ k[97]] ARK[3, 2, 1 ⊕ k[53] ⊕ k[81] ⊕ k[112], 0 ⊕ k[32] ⊕ k[64] ⊕ k[96]]
K[127],K[111] K[126],K[110] K[125],K[109] K[124],K[108] K[123],K[107] K[122],K[106] K[121],K[105] K[120],K[104] K[119],K[103] K[118],K[102] K[117],K[101] K[116],K[100] K[115],K[99] K[114],K[98] K[113],K[97] K[112],K[96]
4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
Fig. 13. Architecture of GIFT unrolled cum TI on speciﬁc rounds
Secure Realization of Lightweight Block Cipher 101
102
V. Satheesh and D. Shanmugam
References 1. Becker, G.C., et al.: Test vector leakage assessment (TVLA) methodology in practice (2013) 2. Bhasin, S., Guilley, S., Sauvage, L., Danger, J.L.: Unrolling cryptographic circuits: a simple countermeasure against sidechannel attacks. In: Pieprzyk, J. (ed.) CTRSA 2010. LNCS, vol. 5985, pp. 195–207. Springer, Heidelberg (2010). https:// doi.org/10.1007/9783642119255 14 3. Blakley, G.R., et al.: Safeguarding cryptographic keys. In: Proceedings of the National Computer Conference, vol. 48, pp. 313–317 (1979) 4. Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540286325 2 5. Desmedt, Y.: Some recent research aspects of threshold cryptography. In: Okamoto, E., Davida, G., Mambo, M. (eds.) ISW 1997. LNCS, vol. 1396, pp. 158–173. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0030418 6. Gierlichs, B., Batina, L., Tuyls, P., Preneel, B.: Mutual information analysis. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 426–442. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540850533 27 7. Gupta, N., Jati, A., Chattopadhyay, A., Sanadhya, S.K., Chang, D.: Threshold implementations of gift: a tradeoﬀ analysis. Technical report. https://eprint.iacr. org/2017/1040.pdf 8. Kocher, P., Jaﬀe, J., Jun, B.: Diﬀerential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3540484051 25 9. Kutzner, S., Nguyen, P.H., Poschmann, A., Wang, H.: On 3share threshold implementations for 4bit Sboxes. In: Prouﬀ, E. (ed.) COSADE 2013. LNCS, vol. 7864, pp. 99–113. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642400261 7 10. Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks  Revealing the Secrets of Smart Cards. Springer, New York (2007). https://doi.org/10.1007/9780387381626 11. Moos, T., Moradi, A., Richter, B.: Static power sidechannel analysis of a threshold implementation prototype chip. In: Atienza, D., Natale, G.D. (eds.) Design, Automation & Test in Europe Conference & Exhibition, DATE 2017, Lausanne, Switzerland, 27–31 March 2017, pp. 1324–1329. IEEE (2017). https://doi.org/10. 23919/DATE.2017.7927198 12. Moos, T., Moradi, A., Richter, B.: Static power sidechannel analysis of a threshold implementation prototype chip. In: Proceedings of the Conference on Design, Automation & Test in Europe, pp. 1324–1329. European Design and Automation Association (2017) 13. Moradi, A., Schneider, T.: Sidechannel analysis protection and lowlatency in action. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 517–547. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662538876 19 14. Nikova, S., Nikov, V.: Secret sharing and error correcting. In: Enhancing Cryptographic Primitives with Techniques from Error Correcting Codes, pp. 28–38 (2009). https://doi.org/10.3233/978160750002528
Secure Realization of Lightweight Block Cipher
103
15. Nikova, S., Rechberger, C., Rijmen, V.: Threshold implementations against sidechannel attacks and glitches. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 529–545. Springer, Heidelberg (2006). https://doi.org/10. 1007/11935308 38 16. Poschmann, A., Moradi, A., Khoo, K., Lim, C., Wang, H., Ling, S.: Sidechannel resistant crypto for less than 2, 300 GE. J. Cryptol. 24(2), 322–345 (2011). https:// doi.org/10.1007/s0014501090866 17. Selvam, R., Shanmugam, D., Annadurai, S., Rangasamy, J.: Decomposed Sboxes and DPA attacks: a quantitative case study using PRINCE. In: Carlet, C., Hasan, M.A., Saraswat, V. (eds.) SPACE 2016. LNCS, vol. 10076, pp. 179–193. Springer, Cham (2016). https://doi.org/10.1007/9783319494456 10 18. Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979). http:// doi.acm.org/10.1145/359168.359176 19. Shanmugam, D., Selvam, R., Annadurai, S.: IPcore implementation susceptibility: a case study of low latency ciphers. IACR Cryptology ePrint Archive 2017, 248 (2017). http://eprint.iacr.org/2017/248 20. Vaudenay, S.: Sidechannel attacks on threshold implementations using a glitch algebra. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 55–70. Springer, Cham (2016). https://doi.org/10.1007/9783319489650 4 21. Yao, A.C.: Protocols for secure computations (extended abstract). In: 23rd Annual Symposium on Foundations of Computer Science, Chicago, Illinois, USA, 3–5 November 1982, pp. 160–164. IEEE Computer Society (1982). https://doi.org/ 10.1109/SFCS.1982.38 22. YliM¨ ayry, V., Homma, N., Aoki, T.: Improved power analysis on unrolled architecture and its application to PRINCE block cipher. In: G¨ uneysu, T., Leander, G., Moradi, A. (eds.) LightSec 2015. LNCS, vol. 9542, pp. 148–163. Springer, Cham (2016). https://doi.org/10.1007/9783319290782 9
Exploiting Security Vulnerabilities in Intermittent Computing Archanaa S. Krishnan(B) and Patrick Schaumont(B) Virginia Tech, Blacksburg, VA 24060, USA {archanaa,schaum}@vt.edu
Abstract. Energy harvesters have enabled widespread utilization of ultralowpower devices that operate solely based on the energy harvested from the environment. Due to the unpredictable nature of harvested energy, these devices experience frequent power outages. They resume execution after a power loss by utilizing intermittent computing techniques and nonvolatile memory. In embedded devices, intermittent computing refers to a class of computing that stores a snapshot of the system and application state, as a checkpoint, in nonvolatile memory, which is used to restore the system and application state in case of power loss. Although nonvolatile memory provides tolerance against power failures, they introduce new vulnerabilities to the data stored in them. Sensitive data, stored in a checkpoint, is available to an attacker after a power loss, and the stateoftheart intermittent computing techniques fail to consider the security of checkpoints. In this paper, we utilize the vulnerabilities introduced by the intermittent computing techniques to enable various implementation attacks. For this study, we focus on TI’s Compute Through Power Loss utility as an example of the stateoftheart intermittent computing solution. First, we analyze the security, or lack thereof, of checkpoints in the latest intermittent computing techniques. Then, we attack the checkpoints and locate sensitive data in nonvolatile memory. Finally, we attack AES using this information to extract the secret key. To the best of our knowledge, this work presents the ﬁrst systematic analysis of the seriousness of security threats present in the ﬁeld of intermittent computing. Keywords: Intermittent computing · Attacking checkpoints Embedded system security · Nonvolatile memory
1
Introduction
Energy harvesters generate electrical energy from ambient energy sources, such as solar [JM17], wind [HHI+17], vibration [YHP09], electromagnetic radiation [CLG17], and radio waves [GC16]. Recent advances in energyharvesting technologies have provided energy autonomy to ultralowpower embedded devices. Since the energy is harvested depending on the availability of ambient energy, the harvester does not harvest energy continuously. Based on the c Springer Nature Switzerland AG 2018 A. Chattopadhyay et al. (Eds.): SPACE 2018, LNCS 11348, pp. 104–124, 2018. https://doi.org/10.1007/9783030050726_7
Exploiting Security Vulnerabilities in Intermittent Computing
105
availability of energy, the device is powered on/oﬀ, leading to an intermittent operation. Classical devices come equipped with volatile memory, such as SRAM [AKSP18] or DRAM [NNM+18], which loses its state on power loss. In recent years, there has been a vast inﬂux of devices with write eﬃcient nonvolatile memory, such as FRAM [YCCC07] or MRAM [SVRR13]. Nonvolatile memory retains its state even after a power loss and provides instant on/oﬀ capabilities to intermittent devices. A majority of these devices contain both volatile and nonvolatile memory. Typically, volatile memory is used to store the system and application state as it is relatively faster than nonvolatile memory. The system state includes the processor registers, such as the program counter, stack pointer, and other general purpose registers, and settings of all the peripherals in use. The application state includes the stack, heap and any developer deﬁned variables that are needed to resume program execution. And nonvolatile memory is used to store the code sections, which is nonrewritable data. In the event of a power loss, volatile memory loses its program state, wiping both the application and system state. Thus, it is diﬃcult to implement longrunning applications on intermittent devices with only nonvolatile memory to ensure accurate program execution. Intermittent computing was proposed as a cureall for the loss of program state and to ensure forward progress of longrunning applications. Instead of restarting the device, intermittent computing creates a checkpoint that can be used to restore the device when power is restored. A checkpoint contains all the application and system state information necessary to continue the longrunning application. It involves two steps: checkpoint generation and checkpoint restoration. In the checkpoint generation process, all the necessary information is stored as a checkpoint in nonvolatile memory. When the device is powered up again, after a power loss, instead of restarting the application, checkpoint restoration is initiated. In the checkpoint restoration process, the system and application state are restored using the most recently recorded checkpoint, ensuring that the application resumes execution. There is extensive research in the ﬁeld of intermittent computing, which is discussed further in the paper, that focuses on eﬃcient checkpointing techniques for intermittent devices. The introduction of nonvolatile memory to a device changes the system dynamics by manifesting new vulnerabilities. Although the purpose of nonvolatile memory is to retain checkpointed data even after a power loss, the sensitive data present in a checkpoint is vulnerable to an attacker who has access to the device’s nonvolatile memory. The nonvolatile memory may contain passwords, secret keys, and other sensitive information in the form of checkpoints, which are accessible to an attacker through a simple JTAG interface or advanced onchip probing techniques [HNT+13,SSAQ02]. As a result, nonvolatile memory must be secured to prevent unauthorized access to checkpoints. Recent work in securing nonvolatile memory guarantees conﬁdentiality of stored data [MA18]. Sneak path encryption (SPE) was proposed to secure nonvolatile memory using a hardware intrinsic encryption algorithm [KKSK15]. It
106
A. S. Krishnan and P. Schaumont
exploits physical parameters inherent to a memory to encrypt the data stored in nonvolatile memory. iNVM, another nonvolatile data protection solution, encrypts main memory incrementally [CS11]. These techniques encrypt the nonvolatile memory in its entirety and are designed primarily for classical computers with unlimited compute power. We are unaware of any lightweight nonvolatile memory encryption technique that can be applied to an embedded system. Consequently, a majority of the intermittent computing solutions do not protect their checkpoints in nonvolatile memory [Hic17,JRR14,RSF11]. As far as we know, the stateoftheart research in the intermittent computing ﬁeld does not provide a comprehensive analysis of the vulnerabilities enabled by its checkpoints. In this paper, we focus on the security of checkpoints, particularly that of intermittent devices, when the device is powered oﬀ. We study existing intermittent computing solutions and identify the level of security provided in their design. For evaluation purposes, we choose Texas Instruments’(TI) Compute Through Power Loss (CTPL) utility as a representative of the stateoftheart intermittent computing solutions [Tex17a]. We exploit the vulnerabilities of an unprotected intermittent system to enable diﬀerent implementation attacks and extract the secret information. Although the exploits will be carried out on CTPL utility, they are generic and can be applied to any intermittent computing solution which stores its checkpoints in an insecure nonvolatile memory. Contribution: We make the following contributions in this paper: – We are the ﬁrst to analyze the security of intermittent computing techniques and to identify the vulnerabilities introduced by its checkpoints. – We implement TI’s CTPL utility and attack its checkpoints to locate the sensitive variables of Advanced Encryption Standard (AES) in nonvolatile memory. – We then attack a software implementation of AES using the information identiﬁed from unsecured checkpoints. Outline: Section 2 gives a brief background on existing intermittent computing solutions and their properties, followed by a detailed description of CTPL utility in Sect. 3. Section 4 details our attacker model. Section 5 enumerates the vulnerabilities of an insecure intermittent system, with a focus on CTPL utility. Section 6 exploits these vulnerabilities to attack CTPL’s checkpoints to locate sensitive information stored in nonvolatile memory. Section 7 utilizes the unsecured checkpoints to attack AES and extract the secret key. We conclude in Sect. 8.
2
Background on Intermittent Computing and Its Security
Traditionally, to generate a checkpoint of a longrunning application, the application is paused before the intermittent computing technique can create a checkpoint. The process of saving and restoring the device state consumes extra energy
Exploiting Security Vulnerabilities in Intermittent Computing
107
Table 1. A comparison of the stateoftheart intermittent computing techniques based on the properties of its checkpoints and the nature of the checkpoint generation calls, such as online checkpoint calls, checkpoint calls placed around idempotent sections of code that do not aﬀect the device state after multiple executions, voltageaware techniques that dynamically checkpoint based on the input voltage, energyaware techniques that dynamically generate checkpoints depending on the availability of energy and checkpoint (CKP) security Intermittent model
Properties Online Idempotency Voltage aware
Energy aware
HW SW CKP security
DINO [LR15]
–
–
–
–
–
None
Mementos [RSF11]
–
–
–
–
None
QuickRecall [JRR14]
–
–
None
Clank [Hic17]
–
–
–
–
None
Ratchet [WH16]
–
–
–
–
None
Hibernus [BWM+15]
–
–
None
CTPL [Tex17a]
–
–
–
None
Ghodsi et al. [GGK17]
–
–
–
–
Confidentiality
and time over the regular execution of the application, which is treated as the checkpoint overhead. This overhead depends on several factors such as the inﬂux of energy, power loss patterns, progress made by the application, checkpoint size, and frequency of checkpoint generation calls. The latest intermittent computing techniques strive to be eﬃcient, by minimizing the checkpoint overhead in their design. Table 1 compares various stateoftheart intermittent computing techniques based on their design properties. In DINO [LR15], Lucia et al. developed a software solution to maintain the volatile and nonvolatile data consistency using a taskbased programming and taskatomic execution model of an intermittent device. Ransford et al. [RSF11] developed Mementos, a software checkpointing system, which can be used without any hardware modiﬁcations. Mementos is an energyaware checkpointing technique because checkpoint calls are triggered online depending on the availability of energy. At compile time, energy checks are inserted at the control points of the software program. At runtime, these checks trigger the checkpoint call depending on the capacitor voltage. QuickRecall [JRR14], another online checkpointing technique, is a lightweight insitu scheme that utilizes FRAM as a uniﬁed memory. When FRAM is utilized as a uniﬁed memory, it acts as both the conventional RAM and ROM. Now, FRAM contains both the application state from RAM and nonwritable code sections from ROM. In the event of powerloss, RAM data remains persistent in FRAM and upon powerup, the program resumes execution without having to restore it. The checkpoint generation call is triggered upon detecting a drop in
108
A. S. Krishnan and P. Schaumont Table 2. State of the core (CPU), the power management module (PMM), volatile memory (SRAM) and various clock sources (MCLK, ACLK, SMCLK) that drive various peripheral modules in diﬀerent operating modes
Fig. 1. MSP430FRxxxx architecture, contains the core (CPU), power management module (PMM), volatile memory (SRAM), nonvolatile memory (FRAM) and other peripheral modules
Mode LPM0 LPM1 LPM2 LPM3 LPM4 LPMx.5
CPU On Oﬀ Oﬀ Oﬀ Oﬀ Oﬀ
PMM On On On On On Oﬀ
SRAM On On On On On Oﬀ
MCLK On Oﬀ Oﬀ Oﬀ Oﬀ Oﬀ
ACLK On On On On Oﬀ Oﬀ
SMCLK Optional Optional Optional Oﬀ Oﬀ Oﬀ
the supply voltage. The net overhead incurred for checkpointing is reduced to storing and restoring the volatile registers that contain system state information. Apart from these energyaware checkpointing techniques, other schemes have been proposed that leverages the natural idempotent properties of a program in their design [Hic17,WH16]. This property aids in identifying idempotent sections of code that can be executed multiple times and generate the same output every time. None of the above intermittent computing solutions consider the security of its checkpoints, and the vulnerabilities introduced by nonvolatile memory are ignored. An attacker with physical access to the device has the potential to read out the sensitive data stored in nonvolatile memory. We know of one work which attempts to secure its checkpoints by encryption [GGK17]. Although encryption provides conﬁdentiality, it does not guarantee other security properties, such as authenticity and integrity, without which an intermittent system is not fully secure because of the following reason. In all the latest checkpointing solutions, the device decrypts and restores the stored checkpoint without checking if it is a good or a corrupt checkpoint. If the attacker has the potential to corrupt the encrypted checkpoints, unbeknownst to the device, it will be restored to an attackercontrolled state. We exploit the lack of checkpoint security to mount our attacks in Sect. 7. In the next section, we focus on TI’s CTPL utility as an example of the latest intermittent computing solution.
3
CTPL
TI has introduced several low power microcontrollers in the MSP430 series. The FRAM series of devices, with a component identiﬁer of the form MSP430FRxxxx, has up to 256 kB of onchip FRAM for longterm data storage [Tex17b]. FRAM is an ideal choice of nonvolatile memory for these microcontrollers for its high speed, low power, and endurance properties [KJJL05].
Exploiting Security Vulnerabilities in Intermittent Computing
109
Fig. 2. Principle of operation of CTPL, checkpoint (CKP) generation and restoration based on the supply voltage, Vcc , and its set threshold voltage, Vth
Figure 1 illustrates the architecture of the FR series of devices. The MSP430 CPU is a 16bit RISC processor with sixteen general purpose registers (GPR). The power management module (PMM) manages the power supply to CPU, SRAM, FRAM and other modules that are used. Typically, SRAM is the main memory that holds the application and system state. These microcontrollers can be operated in diﬀerent operating modes ranging from Active Mode (AM) to various low power modes (LPM), listed in Table 2. In active mode, PMM is enabled, which supplies the power supply to the device. The master clock (MCLK) is active and is used by the CPU. The auxiliary clock (ACLK), which is active, and subsystem master clock (SMCLK), which is either be active or disabled, are software selectable by the individual peripheral modules. For example, if a timer peripheral is used, it can either be sourced by ACLK or SMCLK, depending on the software program. In low power modes, the microcontroller consumes lesser power compared to the active mode. The amount of power consumed in these modes depends on the type of LPM. Typically, there are ﬁve regular low power modes  LPM0 to LPM4; and two advanced low power modes  LPM3.5 and LPM4.5, also known as LPMx.5. As listed in Table 2, in all low power modes, the CPU is disabled as MCLK is not active. Apart from the CPU, other modules are disabled depending on its clock source. For instance, if a timer peripheral is sourced by SMCLK in active mode, this timer will be disabled in LPM3 as SMCLK is not active in this low power mode. But in all the regular low power modes, as PMM is enabled, SRAM remains active, which leaves the system and application state unchanged. Upon wakeup from a regular LPM, the device only needs to reinitialize the peripherals in use and continue with the retained SRAM state. In LPMx.5, most of the modules are powered down, including PMM, to achieve the lowest power consumption of the device. Since PMM is no longer enabled, SRAM is disabled and the system and application state stored in SRAM are lost. Upon wakeup from LPMx.5, the core is completely reset. The applica
110
A. S. Krishnan and P. Schaumont
Fig. 3. Voltage monitor using comparator, COMP E
tion has to reinitialize both the system and application state in SRAM, including the CPU state, required peripheral state, local variables, and global variables. Even though LPMx.5 is designed for ultralow power consumption, the additional initialization requirement increases the startup time and complexity of the application. TI introduced CTPL [Tex17a], a checkpointing utility that saves the necessary system and application state depending on the low power mode, to remove the dependency of saving and restoring state from the application. CTPL utility also provides a checkpoint ondemand solution for intermittent systems, similar to QuickRecall [JRR14]. It deﬁnes dedicated linker description ﬁles for all its MSP430FRxxxx devices that allocates all the application data sections in FRAM and allocates a storage location to save volatile state information. Figure 2 illustrates the checkpoint generation and restoration process with respect to the supply voltage. A checkpoint is generated upon detecting power loss, which stores the volatile state information in nonvolatile memory. Volatile state includes the stack, processor registers, general purpose registers and the state of the peripherals in use. Power loss is detected either using the onchip analogtodigital (ADC) converter or with the help of the internal comparator. Even after the device loses the main power supply, it is powered by the decoupling capacitors for a small time. The decoupling capacitors are connected to the power rails, and they provide the device with suﬃcient grace time to checkpoint the volatile state variables. After the required states are saved in a checkpoint, the device waits for a brownout reset to occur as a result of power loss. A timer is conﬁgured to timeout for false power loss cases when the voltage ramps up to the threshold voltage, Vth , illustrated in Fig. 2. Checkpoint restoration process is triggered by a timeout, device reset or power on, where the device returns to the last known application state using the stored checkpoint. Using a Comparator to Detect Power Loss: The voltage monitor in Fig. 3 can be constructed using the comparator peripheral, COMP E, in conjunction with an external voltage divider, to detect power loss. The input voltage supply, VCC , is fed to an external voltage divider which provides an output equivalent to VCC /2. The comparator is conﬁgured to trigger an interrupt if the output from the voltage divider falls below the 1.5 V reference voltage, Vref , i.e, an interrupt is triggered if VCC falls below 3 V. Vref is generated by the onchip reference
Exploiting Security Vulnerabilities in Intermittent Computing
111
Fig. 4. CTPL checkpoint generation and restoration ﬂowchart
module, REF A [Tex17b]. The interrupt service routine will disable the voltage monitor and invoke the ctpl enterShutdown() function, which saves the volatile state information. Using ADC to Detect Power Loss: MSP430FRxxxx devices are equipped with a 12bit ADC peripheral, ADC12 B, which can also be used to monitor the input voltage. Similar to the comparator based voltage monitor, the VCC /2 signal is constantly compared to a ﬁxed reference voltage to detect power loss. ADC peripheral is conﬁgured with the 2 V or 1.5 V reference voltage from the device’s reference module, REF A. VCC /2 signal is provided by the internal battery monitor channel. The high side comparator is conﬁgured to 3.1 V. ADC monitor is triggered when the device has a stable input voltage of 3.1 V, upon which the device disables the high side trigger, enables the low side triggers, and begins monitoring VCC . Upon detecting power loss the ADC monitor invokes ctpl enterShutdown() function to save the volatile state information. The rest of the brownout and timeout functionalities are the same for the comparator and ADC based voltage monitor. Checkpoint Generation: Call to ctpl enterShutdown() function saves the volatile state in three steps, as shown in the bottom of Fig. 4. In the ﬁrst step, the volatile peripheral state, such as a timer, comparator, ADC, UART, etc., and general purpose registers (GPRs) are stored in the nonvolatile memory. The second and third step are programmed in assembly instructions to prevent mangling the stack when it is copied to the nonvolatile memory. In the second step, the watchdog timer module is disabled to prevent unnecessary resets and the stack is saved. Finally, the ctpl valid ﬂag is set. ctpl valid ﬂag, which is a part of the checkpoint stored in FRAM, is used to indicate the completion of the checkpoint generation process and is set after the CTPL utility has checkpointed all the volatile state information. Until ctpl valid is set, the system
112
A. S. Krishnan and P. Schaumont
does not have a complete checkpoint. After the ﬂag is set, the device waits for a brownout reset or timeout. CTPL deﬁnes dedicated linker description ﬁles for all MSP430FRxxxx devices that places its application data sections in FRAM. Application speciﬁc variables, such as local and global variables, are retained in FRAM through power loss without explicitly storing or restoring them. Checkpoint Restoration: Upon powerup, the startup sequence checks if the ctpl valid ﬂag is set, as illustrated in Fig. 4. If the ﬂag is set, then the nonvolatile memory contains a valid checkpoint which can be used to restore the device, else the device starts execution from main(). Checkpoint restoration is also carried out in three steps. First, the stack is restored from the checkpoint location using assembly instructions, which resets the program stack. Second, CTPL restores the saved peripherals and general purpose registers before restoring the program counter in the ﬁnal step. Then, the device jumps to the program counter set in the previous step and resumes execution. In this complex mesh of checkpoint generation and restoration process of CTPL, checkpoint security is ignored. All the sensitive information from the application that is present in the stack, general purpose registers, local variables and global variables are vulnerable in the nonvolatile memory. In the following sections, we describe our attacker model and enumerate various security risks involved in leaving checkpoints unsecured in a nonvolatile memory.
4
Attacker Model
To evaluate the security of the current intermittent computing solutions, we focus on the vulnerabilities of the system when it is suspended after a power loss, and assume that the device incorporates integrity and memory protection features when it is powered on. We study two attack scenarios to demonstrate the seriousness of the security threats introduced by the checkpoints of an intermittent system. In the ﬁrst case, we consider a knowledgeable attacker who has suﬃcient information about CTPL and the target device to attack the target algorithm. In the second case, we consider a blind attacker who does not have any information about CTPL or the target device but still possess the objective to attack the target algorithm. In both the cases, the attacker has the following capabilities. – The attacker has physical access to the device. – The attacker can access the memory via traditional memory readout ports or employ sophisticated onchip probing techniques [HNT+13,SSAQ02], to retrieve persistent data. This allows unrestricted reads and writes to the data stored in the device memory, particularly the nonvolatile memory, directly providing access to the checkpoints after a power loss. All MSP430 devices have a JTAG interface, which is mainly used for debugging and program development. We use it to access the device memory using development tools, such as TI’s Code Composer Studio (CCS) and mspdebug.
Exploiting Security Vulnerabilities in Intermittent Computing
113
– The attacker has suﬃcient knowledge about the target algorithm to analyze the memory. We assume that each variable of the target algorithm is stored in a contiguous memory location on the device. The feasibility of this assumption is described in Sect. 6 using Fig. 5 – The attacker can also modify the data stored in nonvolatile memory without damaging the device. Therefore, the attacker has the ability to corrupt the checkpoints stored in nonvolatile memory.
5
Security Vulnerabilities of Unsecured Checkpoints
Based on the above attacker model, we identify the following vulnerabilities, which are introduced by the checkpoints of an intermittent system. Checkpoint Snooping: An attacker with access to the device’s nonvolatile memory has direct access to its checkpoints. Any sensitive data included in a checkpoint, such as secret keys, the intermediate state of a cryptographic primitive and other sensitive application variables, is now available to the attacker. Since CTPL is an opensource utility, a knowledgeable attacker can study the utility and easily identify the location of checkpoints, and in turn, extract sensitive information. A blind attacker can also extract sensitive information by detecting patterns that occur in memory. Section 6 provides a detailed description of techniques used in this paper to extract sensitive information. Vulnerable data, which is otherwise private during application execution, is now available for the attacker to use at their convenience. A majority of the intermittent computing techniques, similar to CTPL, do not protect their checkpoints. Although encrypting checkpoints protects the conﬁdentiality of data, as in [GGK17], it is not suﬃcient to provide overall security to an intermittent system. Checkpoint Spoofing: With the ability to modify nonvolatile memory, the attacker can make unrestricted changes to checkpoints. In CTPL and other intermittent computing solutions, if a checkpoint exists, it is used to restore the device without checking if it is indeed an unmodiﬁed checkpoint of the current application setting. Upon power oﬀ, both the blind and knowledgeable attacker can locate the sensitive variable in a checkpoint, change it to an attackercontrolled value. As long as the attacker does not reset ctpl valid, the checkpoint remains valid for CTPL. At the next powerup, unknowingly, the device restores this tampered checkpoint. From this point, the device continues execution in an attackercontrolled sequence. Encrypting checkpoints is not suﬃcient protection against checkpoint spooﬁng. The attacker can corrupt the encrypted checkpoint at random, and the device will decrypt and restore the corrupted checkpoint. Since the decrypted checkpoint may not necessarily correspond to a valid system or application state, the device may restore to an unstable state, leading to a system crash.
114
A. S. Krishnan and P. Schaumont
Fig. 5. AES variables present in a checkpoint and their contiguous placement in FRAM identiﬁed using the Linux command nm. nm lists the symbol value (hexadecimal address), symbol type (D for data section) and the symbol name present in the executable ﬁle main.elf.
Checkpoint Replay: An attacker who can snoop into the nonvolatile memory can also make copies of all the checkpoints. Since both the blind and knowledgeable attackers are aware of the nature of the software application running on the device, they possess enough information to control the sequence of program execution. Equipped with the knowledge of the history of checkpoints, the attacker can overwrite the current checkpoint with any arbitrary checkpoint from their store of checkpoints. Since ctpl valid is set in every checkpoint, the device is restored to a stale state from the replayed checkpoint. This gives the attacker capabilities to jump to any point in the software program with just a memory overwrite command. Similar to CTPL, the rest of the intermittent computing techniques also restore replayed checkpoints without checking if it is indeed the latest checkpoint.
6
Exploiting CTPL’s Checkpoints
In this section, we provide a brief description of the software application under attack, followed by our experimental setup. We then explain our method to identify the location of checkpoints and sensitive data in FRAM, based on the capabilities of the attacker. We show that checkpoint snooping is suﬃcient to identify the sensitive data in nonvolatile memory. 6.1
Experimental Setup
To mount our attack on CTPL utility, we used TI’s MSP430FR5994 LaunchPad development board. The target device is equipped with 256 kB of FRAM which is used to store the checkpoints. We use TI’s FRAM utility library to implement CTPL as a utility API [Tex17a]. We implement TI’s software AES128 library on MSP430FR5994 as the target application running on the intermittent device. Figure 5 lists a minimum set of variables that must be checkpointed to ensure forward progress of AES. They are declared persistent to ensure that they are placed in FRAM. Figure 5 also lists the location of these variables in FRAM, identiﬁed using the Linux nm command. All the AES variables are placed next to each other in FRAM, from 0x1029F to 0x1037E, which satisﬁes our assumption that the variables of the target algorithm are stored in a contiguous memory
Exploiting Security Vulnerabilities in Intermittent Computing
115
Fig. 6. Memory dump of FRAM, where the checkpoint begins from 0x10000 and ends at 0x103DB
location. The executable ﬁle,main.elf, was only used to prove the feasibility of this assumption and is not needed to carry out the attack described in this paper. As CTPL is a voltageaware checkpointing scheme, the application developer need not place checkpoint generation and restoration calls in the software program. CTPL, which is implemented as a library on top of the software program, automatically saves and restores the checkpoint based on the voltage monitor output. To access the checkpoints, we use mspdebug commands memory dump (md) and memory write (mw) to read from and write to the nonvolatile memory, respectively, via the JTAG interface. Other memory probing techniques, [HNT+13,SSAQ02], can also be utilized to deploy our attack on AES when JTAG interface is disabled or unavailable. 6.2
Capabilities of a Knowledgeable Attacker
Armed with the information about CTPL and the target device, a knowledgeable attacker analyzes the 256 kB of FRAM to identify the location and size of checkpoints in nonvolatile memory. The following analysis can be performed after CTPL generates at least one checkpoint, which is generated at random, on the target device. Locate the Checkpoints in Memory: A knowledgeable attacker examines CTPL’s linker description ﬁle for MSP430FR5994 to identify the exact location of FRAM region in the device’s memory that hosts the checkpoints. In the linker description ﬁle, FRAM memory region is deﬁned from 0x10000, which is the starting address of .persistent section of memory. CTPL places all application data sections in the .persistent section of the memory. Thus, the application speciﬁc variables required for forward progress are stored somewhere between in 0x10000 and 0x4E7FF. Identifying Checkpoint Size: A knowledgeable attacker has the ability to distinguish the checkpoint storage from regular FRAM memory regions using two
116
A. S. Krishnan and P. Schaumont
Fig. 7. A section of the diff output of memory dumps that locates a consistent difference of 16 bytes at the memory location 0x102B0, which pinpoints the location of the intermediate state of AES
properties of the target device. First, any variable stored in FRAM must either be initialized by the program or it will be initialized to zero by default. Second, the target device’s memory reset pattern is 0xFFFF. Based on these properties, the attacker determines that the checkpoint region of FRAM will either be initialized to a zero or nonzero value and the unused region of FRAM will retain the reset pattern. The knowledgeable attacker generates a memory dump of the entire FRAM memory region to distinguish the location of checkpoints. In the memory dump, only a small section of the 256 kB of FRAM was initialized, and the majority of the FRAM was ﬁlled with 0xFFFF, as shown in Fig. 6. Thus, the checkpoint is stored starting from 0x10000 up to 0x103DB, with a size of 987 bytes. In an application where the length of input and output are ﬁxed, which is the case of our target application, the size of a checkpoint will remain constant. It is suﬃcient to observe this 987 bytes of memory to monitor the checkpoints. Thus, a knowledgeable attacker who has access to the device’s linker description ﬁle and device’s properties can pinpoint the exact location of the checkpoint with a single copy of FRAM. 6.3
Capabilities of a Blind Attacker
Unlike knowledgeable attackers, blind attackers do not possess any information about CTPL or the device, but only have unrestricted access to the device memory. They can still analyze the device memory to locate sensitive information stored in it. The set capabilities of a knowledgeable attacker is a superset of the set of capabilities of a blind attacker. Therefore, the following analysis can also be performed by a knowledgeable attacker. To ensure continuous operation of AES, CTPL stores the intermediate state of AES, state; secret key, key; round counter, round and other application variables in FRAM. These variables are present in every checkpoint and can be
Exploiting Security Vulnerabilities in Intermittent Computing
117
identiﬁed by looking for a pattern in the memory after a checkpoint is generated. To study the composition of device memory, the blind attacker collects 100 diﬀerent dumps of the entire memory of the device, where each memory dump is captured after a checkpoint is generated at a random point in AES, irrespective of the location and frequency of checkpoint calls. 100 was chosen as an arbitrary number of memory dumps to survey as a smaller number may not yield conclusive results. And a larger number will aﬃrm the conclusions derived from 100 memory dumps. The blind attacker uses the following technique to locate state in the memory. Locate the Intermediate State of AES: At a given point of time, AES operates on 16 bytes of intermediate state. This intermediate state is passed through 10 rounds of operation before a ciphertext is generated. By design, each round of AES confuses and diﬀuses its state such that at least half the state bytes are changed after every round. After two rounds of AES, all the 16 bytes of intermediate state are completely diﬀerent from the initial state [DR02]. Thus, any 16 bytes of contiguous memory location that is diﬀerent between memory dumps is a possible intermediate state. To identify the intermediate state accurately, the blind attacker stores each of the collected memory dump in an individual text ﬁle for postprocessing using the Linux diff command. diff command locates the changes between two ﬁles by comparing them line by line. The attacker computes the diﬀerence between each of the 100 memory dumps using this command and makes the following observation. On average, seven diﬀerences appear between every memory dump. Six of the seven diﬀerences correspond to small changes to memory ranging from a single bit to a couple of bytes. Only one diﬀerence, located at 0x102A2, corresponds to a changing memory of up to 16 contiguous bytes, as shown in Fig. 7. Based on the design of AES, the attacker concludes that any diﬀerence in memory that lines up to a 16 bytes can be inferred as a change in state. From the diff output highlighted in Fig. 7, the blind attacker accurately identiﬁes state to begin from 0x102B0 and end at 0x102BF. It is also reasonable to assume that state is stored in the same location in every checkpoint as it appears at 0x102B0 in all memory dumps. The attacker can also pinpoint the location of the round counter using a similar technique. round is a 4bit value that ranges from 0 to 11 depending on the diﬀerent rounds of AES. Thus, any diﬀerence in memory that spans across 4 contiguous bits, and takes any value from 0 to 11 are ideal candidates for the round counter.
7
Attacking AES with Unsecured Checkpoints
Equipped with the above information on checkpoints and location of sensitive variables in FRAM, we extract the secret key using three diﬀerent attacks brute forcing the memory, injecting targeted faults in the memory and replaying checkpoints to enable side channel analysis. We demonstrate that when the attacker can control the location of checkpoint generation call, it is most eﬃcient
118
A. S. Krishnan and P. Schaumont
to extract the secret key using fault injection techniques, and when the attacker has no control over the location of checkpoint call, brute forcing the key from memory yields the best results. 7.1
Brute Forcing the Key from Memory
Since the device must checkpoint all the necessary variables to ensure forward progress, it is forced to checkpoint the secret key used for encryption as well. To extract the key by brute forcing the memory, the attacker needs a checkpoint or a memory dump with a checkpoint, a valid plaintext/ciphertext pair, and AES programmed on an attackercontrolled device who’s plaintext and key can be changed by the attacker. The attacker generates all possible keys from the memory, programs the attackercontrolled device with the correct plaintext and diﬀerent key guesses. The key guess that generates the correct ciphertext output on the attackercontrolled device is the target device’s secret key. Based on the assumption that the key stored in FRAM appears in 16 bytes of contiguous memory location, the attacker computes the number of possible keys using the following equation: NKeyGuess = Lmemory − Lkey + 1
(1)
where, NKeyGuess is the total number of key guesses that can be derived from a memory, Lmemory is the length of the memory in bytes and Lkey is the length of key in bytes. The number of key guesses varies depending on the capabilities of the attacker, as detailed below. Knowledgeable Attack: Knowledgeable attackers begins with a copy of a single checkpoint from FRAM. The 16byte key is available in FRAM amidst the checkpointed data, which is 987 bytes long. Using Eq. 1, a knowledgeable attacker computes the number of possible key guesses to be 972. Thus, for a knowledgeable attacker, the key search space is reduced from 2128 to 29 + 460. Blind Attack: Since blind attackers do not know the location or size of the checkpoint, they start with a copy of the memory of the device that contains a single checkpoint. MSP430FR5994 has 256 kB of FRAM, which is 256,000 bytes long. Using Eq. 1, the number of key guesses for a blind attacker equals 255,985. For a blind attacker, the search space for the key is reduced to 218 − 6159 In both the attacker cases, all possible keys are derived by going over the memory 16 contiguous bytes at a time. These key guesses are fed to the attackercontrolled device to compute the ciphertext. The key guess that generates the correct ciphertext is found to be the secret key of AES. Even though a blind attacker generates more key guesses and requires more time, they can still derive the key in less than 218 attempts, which is far less compared to the 2128 attempts of a regular brute force attack. The extracted key can be used to decrypt subsequent ciphertexts as long as it remains constant in checkpoints. If none of the
Exploiting Security Vulnerabilities in Intermittent Computing
119
key guesses generate the correct ciphertext, then the secret was not checkpointed by CTPL. When the key is not stored in FRAM, it can be extracted using the two attacks described below. 7.2
Injecting Faults in AES via Checkpoints
Fault attacks alter the regular execution of the program such that the faulty behavior discloses information that is otherwise private. Several methods of fault injection have been studied by researchers, such as single bit faults [BBB+10] and single byte faults [ADM+10]. A majority of these methods require dedicated hardware support in the form of laser [ADM+10] or voltage glitcher [BBGH+14] to induce faults in the target device. Even with dedicated hardware, it is not always possible to predict the outcome of a fault injection. In this paper, we focus on injecting precise faults to AES and use existing fault analysis methods to retrieve the secret key. To inject a fault on the target device, the attacker needs the exact location of the intermediate state in memory and the ability to read and modify the device memory. They also require a correct ciphertext output to analyze the eﬀects of the injected fault. The correct ciphertext output is the value of state after the last round of AES, which is obtained from a memory dump of the device that contains a checkpoint that was generated after AES completed all ten rounds of operation. Both the blind and the knowledgeable attacker know the location of state in memory and have access to memory. A simple memory write command can change the state and introduce single or multiple bit faults in AES. This type of fault injection induces targeted faults in AES without dedicated hardware support. We describe our method to inject single bit and single byte fault to perform diﬀerential fault analysis (DFA) on AES introduced in [Gir05] and [DLV03] respectively. Inducing Single Bit Faults: To implement the singlebit DFA described in [Gir05], the attacker requires a copy of the memory that contains a checkpoint that was generated just before the ﬁnal round of AES. This memory contains the intermediate state which is the input to the ﬁnal round. The attacker reads state from 0x102B0, modiﬁes a singlebit at an arbitrary location in state and overwrites it with this faulty state to induce a singlebit fault. When the device is poweredup, CTPL restores the tampered checkpoint and AES resumes computation with the faulty state. The attacker then captures the faulty ciphertext output and analyzes it with the correct ciphertext to compute the last round key and subsequently the secret key of AES using the method described in [Gir05]. With the help of the unsecured checkpoints from CTPL, both blind and knowledgeable attackers can inject targeted faults in AES with single bit precision, enabling easy implementation of such powerful attacks. Inducing Single Byte Faults: To induce a single byte fault and implement the attack described in [DLV03], the attacker requires a copy of the memory
120
A. S. Krishnan and P. Schaumont
that contains a checkpoint that was generated before the Mix Column transformation of the ninth round of AES. Similar to a single bit fault, the attacker overwrites state with a faulty state. The faulty state diﬀers from the original state by a single byte. For example, if state contains 0x0F in the ﬁrst byte, the attacker can induce a single byte fault by writing 0x00 to 0x102B0. When the device is poweredup again, CTPL restores the faulty checkpoint. AES resumes execution and the single byte fault is propagated across four bytes of the output at the end of the tenth round of AES. The faulty ciphertext diﬀers from the correct ciphertext at memory locations 0x102B0, 0x102B7, 0x102BA and 0x102BD. Using this diﬀerence, the attacker derives all possible values for four bytes of the last round key. They induce other single byte faults in state and collect the faulty ciphertexts. They use the DFA technique described in [DLV03] to analyze the faulty ciphertext output and ﬁnd the 16 bytes of AES key with less than 50 ciphertexts. Thus, the ability to modify checkpoints aids in precise fault injection which can be exploited to break the conﬁdentiality of AES. 7.3
Replaying Checkpoints to Side Channel Analysis
The secret key of AES can also be extracted by using diﬀerential power analysis (DPA) [KJJ99]. In DPA, several power traces of AES are needed, where each power trace corresponds to the power required to process a diﬀerent plaintext using the same secret key. These power traces are then analyzed to ﬁnd the relation between the device’s power consumption and secret bits, to derive the AES key. Similar to DFA, to extract the secret key using DPA, the attacker needs the correct location of state of AES, which is known by both the blind and knowledgeable attacker. With access to the device memory, the attacker can read and modify state to enable DPA. To perform DPA on the target device, they need a copy of the device memory that contains a checkpoint that was generated just before AES begins computation. The state variable in this checkpoint contains the plaintext input to AES. It is suﬃcient to replay this checkpoint to restart AES computations multiple times. To obtain useful power traces from each computation, the attacker overwrites state with a diﬀerent plaintext every time. Upon every powerup, CTPL restores the replayed checkpoint and AES begins computation with a diﬀerent plaintext each time. The target device now encrypts each of the plaintext using the same key. The power consumption of each computation is recorded and processed to extract the secret bits leaked in the power traces, and consequently, derive the secret key. Even though this attack also requires a copy of memory and modiﬁcations to state, it requires other hardware, such as an oscilloscope, to collect and process the power traces to derive the secret key. 7.4
Attack Analysis
If it is feasible to obtain a copy of the memory that contains a checkpoint from a speciﬁed round of AES, then extracting the secret key by injecting faults in
Exploiting Security Vulnerabilities in Intermittent Computing
121
checkpoints and performing DFA is the most eﬃcient method for two reasons. First, DFA can extract secret key with less than 50 ciphertexts and an existing DFA technique, such as [DLV03,Gir05], but DPA requires thousands of power traces. Second, unlike DPA, DFA does not require hardware resources such as an oscilloscope to extract the secret key. Thus, injecting faults in checkpoints breaks the conﬁdentiality of AES with the least amount of time and resources, compared to replaying checkpoints. If it not possible to determine when the checkpoint was generated, brute forcing the memory to extract the secret key is the only feasible option. All the attacks described in this paper can be carried out without any knowledge of the device or the intermittent computing technique in use. The attacker only needs unrestricted access to the nonvolatile memory to extract sensitive data from it. Apart from AES, the attacks explored in this paper are also eﬀective against other cryptographic algorithms and security features, such as control ﬂow integrity protection [DHP+15] and attestation solutions [EFPT12], that maybe implemented on an intermittent device. Thus, unprotected checkpoints undermine the security of the online protection schemes incorporated in intermittent devices.
8
Conclusions
Intermittent computing is emerging as a widespread computing technique for energy harvested devices. Even though several researchers have proposed eﬃcient intermittent computing techniques, the security of such computing platforms is not a commonly explored problem. In this paper, we study the security trends in the stateoftheart intermittent computing solutions and investigate the vulnerabilities of the checkpoints of CTPL. Using the unsecured checkpoints, we demonstrate several attacks on AES that was used to retrieve the secret key. This calls for intermittent computing designs that address the security pitfalls introduced in this paper. Since security is not free, resource constrained devices require lightweight protection schemes for their checkpoints. Hence, dedicated research is needed to provide comprehensive, energy eﬃcient security to intermittent computing devices. Acknowledgements. This work was supported in part by NSF grant 1704176 and SRC GRC Task 2712.019.
References [ADM+10] Agoyan, M., Dutertre, J.M., Mirbaha, A.P., Naccache, D., Ribotta, A.L., Tria, A.: Singlebit DFA using multiplebyte laser fault injection. In: 2010 IEEE International Conference on Technologies for Homeland Security (HST), pp. 113–119, Novomber 2010 [AKSP18] AfzaliKusha, H., Shafaei, A., Pedram, M.: A 125mV 2nsaccesstime 16Kb SRAM design based on a 6T hybrid TFETFinFET cell. In: 2018 19th International Symposium on Quality Electronic Design (ISQED), pp. 280–285, March 2018
122
A. S. Krishnan and P. Schaumont
[BBB+10] Barenghi, A., Bertoni, G.M., Breveglieri, L., Pellicioli, M., Pelosi, G.: Fault attack on AES with singlebit induced faults. In: 2010 Sixth International Conference on Information Assurance and Security, pp. 167–172, August 2010 [BBGH+14] BeringuierBoher, N., et al.: Voltage glitch attacks on mixedsignal systems. In: 2014 17th Euromicro Conference on Digital System Design, pp. 379386, August 2014 [BWM+15] Balsamo, D., Weddell, A.S., Merrett, G.V., AlHashimi, B.M., Brunelli, D., Benini, L.: Hibernus: sustaining computation during intermittent supply for energyharvesting systems. IEEE Embed. Syst. Lett. 7(1), 15–18 (2015) [CLG17] Chaari, M.Z., Lahiani, M., Ghariani, H.: Energy harvesting from electromagnetic radiation emissions by compact ﬂouresent lamp. In: 2017 Ninth International Conference on Advanced Computational Intelligence (ICACI), pp. 272–275, February 2017 [CS11] Chhabra, S., Solihin, Y.: iNVMM: a secure nonvolatile main memory system with incremental encryption. In: 38th International Symposium on Computer Architecture (ISCA 2011), San Jose, CA, USA, 4–8 June 2011, pp. 177–188 (2011) [DHP+15] Davi, L., et al.: HAFIX: hardwareassisted ﬂow integrity extension. In: 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC), pp. 1–6, June 2015 [DLV03] Dusart, P., Letourneux, G., Vivolo, O.: Diﬀerential fault analysis on A.E.S. In: Zhou, J., Yung, M., Han, Y. (eds.) ACNS 2003. LNCS, vol. 2846, pp. 293–306. Springer, Heidelberg (2003). https://doi.org/10.1007/ 9783540452034 23 [DR02] Daemen, J., Rijmen, V.: The Design of Rijndael: AES  The Advanced Encryption Standard. Springer, Heidelberg (2002). https://doi.org/10. 1007/9783662047224 [EFPT12] El Defrawy, K., Francillon, A., Perito, D., Tsudik, G.: SMART: secure and minimal architecture for (establishing a dynamic) root of trust. In: NDSS: 19th Annual Network and Distributed System Security Symposium, San Diego, USA, 5–8 February 2012 (2012) [GC16] Ghosh, S., Chakrabarty, A.: Green energy harvesting from ambient RF radiation. In: 2016 International Conference on Microelectronics, Computing and Communications (MicroCom), pp. 1–4, January 2016 [GGK17] Ghodsi, Z., Garg, S., Karri, R.: Optimal checkpointing for secure intermittentlypowered IoT devices. In: 2017 IEEE/ACM International Conference on ComputerAided Design (ICCAD), pp. 376–383, November 2017 [Gir05] Giraud, C.: DFA on AES. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2004. LNCS, vol. 3373, pp. 27–41. Springer, Heidelberg (2005). https://doi.org/10.1007/11506447 4 [HHI+17] Habibzadeh, M., Hassanalieragh, M., Ishikawa, A., Soyata, T., Sharma, G.: Hybrid solarwind energy harvesting for embedded applications: supercapacitorbased system architectures and design tradeoﬀs. IEEE Circuits Syst. Mag. 17(4), 29–63 (2017) [Hic17] Hicks, M.: Clank: architectural support for intermittent computation. In: Proceedings of the 44th Annual International Symposium on Computer Architecture, ISCA 2017, pp. 228–240. ACM, New York (2017)
Exploiting Security Vulnerabilities in Intermittent Computing
123
[HNT+13] Helfmeier, C., Nedospasov, D., Tarnovsky, C., Krissler, J.S., Boit, C., Seifert, J.P.: Breaking and entering through the silicon. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & #38; Communications Security, CCS 2013, pp. 733–744. ACM, New York (2013) [JM17] Jokic, P., Magno, M.: Powering smart wearable systems with ﬂexible solar energy harvesting. In: 2017 IEEE International Symposium on Circuits and Systems (ISCAS), pp. 1–4, May 2017 [JRR14] Jayakumar, H., Raha, A., Raghunathan, V.: QUICKRECALL: a low overhead HW/SW approach for enabling computations across power cycles in transiently powered computers. In: 2014 27th International Conference on VLSI Design and 2014 13th International Conference on Embedded Systems, pp. 330–335, January 2014 [KJJ99] Kocher, P., Jaﬀe, J., Jun, B.: Diﬀerential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3540484051 25 [KJJL05] Kim, K., Jeong, G., Jeong, H., Lee, S.: Emerging memory technologies. In: Proceedings of the IEEE 2005 Custom Integrated Circuits Conference, pp. 423–426, September 2005 [KKSK15] Kannan, S., Karimi, N., Sinanoglu, O., Karri, R.: Security vulnerabilities of emerging nonvolatile main memories and countermeasures. IEEE Trans. Comput.Aided Des. Integr. Circuits Syst. 34(1), 2–15 (2015) [LR15] Lucia, B., Ransford, B.: A simpler, safer programming and execution model for intermittent systems. In: Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2015, pp. 575–585. ACM, New York (2015) [MA18] Mittal, S., Alsalibi, A.I.: A survey of techniques for improving security of nonvolatile memories. J. Hardw. Syst. Secur. 2(2), 179–200 (2018) [NNM+18] Navarro, C., et al.: InGaAs capacitorless DRAM cells TCAD demonstration. IEEE J. Electron Dev. Soc. 6, 884–892 (2018) [RSF11] Ransford, B., Sorber, J., Kevin, F.: Mementos: system support for longrunning computation on RFIDscale devices. SIGARCH Comput. Archit. News 39(1), 159–170 (2011) [SSAQ02] Samyde, D., Skorobogatov, S., Anderson, R., Quisquater, J.J.: On a new way to read data from memory. In: Proceedings of First International IEEE Security in Storage Workshop, pp. 65–69, December 2002 [SVRR13] Sharad, M., Venkatesan, R., Raghunathan, A., Roy, K.: Multilevel magnetic RAM using domain wall shift for energyeﬃcient, highdensity caches. In: International Symposium on Low Power Electronics and Design (ISLPED), pp. 64–69, September 2013 [Tex17a] Texas Instruments: MSP MCU FRAM Utilities (2017) [Tex17b] Texas Instruments: MSP430FR58xx, MSP430FR59xx, MSP430FR68xx, and MSP430FR69xx Family User’s Guide (2017) [WH16] Van Der Woude, J., Hicks, M.: Intermittent computation without hardware support or programmer intervention. In: 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2016), pp. 17– 32. USENIX Association, Savannah (2016)
124
A. S. Krishnan and P. Schaumont
[YCCC07] Yang, C.F., Chen, K.H., Chen, Y.C., Chang, T.C.: Fabrication of onetransistorcapacitor structure of nonvolatile TFT Ferroelectric RAM devices using BA(Zr0.1 Ti0.9)O3 gated oxide ﬁlm. IEEE Trans. Ultrason. Ferroelectr. Freq. Control 54(9), 1726–1730 (2007) [YHP09] Yun, S.N., Ham, Y.B., Park, J.H.: Energy harvester using PZT actuator with a cantilver. In: 2009 ICCASSICE, pp. 5514–5517, August 2009
EdSIDH: Supersingular Isogeny DiﬃeHellman Key Exchange on Edwards Curves Reza Azarderakhsh1 , Elena Bakos Lang2 , David Jao2,3,4 , and Brian Koziel5(B) 1
Department of Computer and Electrical Engineering and Computer Science, Florida Atlantic University, Boca Raton, FL, USA 2 Department of Combinatorics and Optimization, University of Waterloo, Waterloo, ON N2L 3G1, Canada 3 Centre for Applied Cryptographic Research, University of Waterloo, Waterloo, ON N2L 3G1, Canada 4 evolutionQ, Inc., Waterloo, ON, Canada 5 Texas Instruments, Dallas, TX, USA
[email protected]
Abstract. Problems relating to the computation of isogenies between elliptic curves deﬁned over ﬁnite ﬁelds have been studied for a long time. Isogenies on supersingular elliptic curves are a candidate for quantumsafe key exchange protocols because the best known classical and quantum algorithms for solving wellformed instances of the isogeny problem are exponential. We propose an implementation of supersingular isogeny DiﬃeHellman (SIDH) key exchange for complete Edwards curves. Our work is motivated by the use of Edwards curves to speed up many cryptographic protocols and improve security. Our work does not actually provide a faster implementation of SIDH, but the use of complete Edwards curves and their complete addition formulae provides security beneﬁts against sidechannel attacks. We provide run time complexity analysis and operation counts for the proposed key exchange based on Edwards curves along with comparisons to the Montgomery form. Keywords: Edwards curves · Isogeny arithmetic Supersingular isogeny DiﬃeHellman key exchange
1
Introduction
According to our current understanding of the laws of quantum mechanics, quantum computers based on quantum phenomena oﬀer the possibility of solving certain problems much more quickly than is possible on any classical computer. Included among these problems are almost all of the mathematical problems upon which currently deployed publickey cryptosystems are based. NIST has recently announced plans for transitioning to postquantum cryptographic protocols, and organized a standardization process for developing such cryptosystems [9]. One of the candidates in this process is Jao and De Feo’s Supersingular c Springer Nature Switzerland AG 2018 A. Chattopadhyay et al. (Eds.): SPACE 2018, LNCS 11348, pp. 125–141, 2018. https://doi.org/10.1007/9783030050726_8
126
R. Azarderakhsh et al.
Isogeny DiﬃeHellman (SIDH) proposal [14], which is based on the pathﬁnding problem in isogeny graphs of supersingular elliptic curves [8,10]. Isogenies are a special kind of morphism of algebraic curves, which have been studied extensively in pure mathematics but only recently proposed for use in cryptography. We believe isogenybased cryptosystems oﬀer several advantages compared to other approaches for postquantum cryptography: – Their security level is determined by a simple choice of a single public parameter. The temptation in cryptography is always to cut parameter sizes down to the bare minimum security level, for performance reasons. By reducing the number of securitysensitive parameters down to one, it becomes impossible to accidentally choose one parameter too small in relation to the others (which harms security), or too large (which harms performance). – They achieve the smallest public key size among those postquantum cryptosystems which were proposed to NIST [30, Table 5.9]. – They are based on numbertheoretic complexity assumptions, for which there is already a large base of existing research, activity, and community expertise. – Implementations can leverage existing widely deployed software libraries to achieve necessary features such as sidechannel resilience. Relative to other postquantum candidates, the main practical limitation of SIDH currently lies in its performance which requires more attention from cryptographic engineers. The majority of speedoptimized SIDH implementations (in both hardware and software platforms) use Montgomery curves [1,2,11–14,16,17,22–26,32], which are a popular choice for cryptographic applications due to their fast curve and isogeny arithmetic. Only [27] is an exception as it considers a hybrid EdwardsMontgomery SIDH scheme that still uses isogenies over Montgomery curves. Alternative models for elliptic curves have been studied for fast computation such as Edwards curves, whose complete addition law presents security and speed beneﬁts for the implementation of various cryptographic protocols. Edwards curves and Montgomery curves share many characteristics, as there is a birational equivalence between the two families of curves. Edwards curves remove the overhead of checking for exceptional cases, and twisted Edwards form removes the overhead of checking for invalid inputs. In this paper, we study the possibility of using isogenies of Edwards curves in the SIDH protocol, and study its potential speed and security beneﬁts. Our results indicate that although Montgomery curves are faster for SIDH computations, the completeness of Edwards curves formulae provides additional security beneﬁts against sidechannel attacks. Since SIDH is still in its infancy, it is unclear if exceptional cases could be used as the basis for a sidechannel attack, but in any case our EdSIDH implementation defends against this possibility. Our contributions can be summarized as follows: – We propose EdSIDH: fast formulas for SIDH over Edwards curves. – We investigate isogeny formulas on projective and completed Edwards forms. – We propose fast formulas for Edwards curve isogenies of degree 2, 3, and 4.
EdSIDH: SIDH Key Exchange on Edwards Curves
127
The rest of the paper is organized as follows: In the rest of this section, we provide preliminaries of Edwards curves and review the SIDH protocol. In Sect. 2, we provide new formulae for a key exchange scheme based on Edwards curves. In Sect. 3, we present fast equations for EdSIDH arithmetic and analyze their running time complexity in terms of operation counts. In Sect. 4, we analyze the complexity of incorporating our Edwards arithmetic in SIDH. Finally, we conclude the paper in Sect. 5. Independent work on fast isogeny formulas for Edwards curves was done in [19]. 1.1
The Edwards Form
In 2007, Edwards introduced a new model for elliptic curves [15] called Edwards curves. Twisted Edwards curves are a generalization of Edwards curves, with each twisted Edwards curve being a quadratic twist of an Edwards curve. Twisted Edwards curves are deﬁned by the equation Ea,d : ax2 + y 2 = 1 + dx2 y 2 over a ﬁeld K, with d = 0, 1; a = 0. When a = 1, the curve deﬁned by Ea,d is an Edwards curve. The isomorphism (x, y) → √xa , y maps the twisted Edwards curve Ea,d to
the √ isomorphic Edwards curve E1,d/a , with the inverse map given by (x, y) → ( ax, y) [4]. Over ﬁnite ﬁelds, only curves with order divisible by 4 can be expressed in the (twisted) Edwards form. The group addition law on twisted Edwards curves is deﬁned by: x1 y2 + x2 y1 y1 y2 − ax1 x2 , , (1) (x1 , y1 ) + (x2 , y2 ) = 1 + dx1 x2 y1 y2 1 − dx1 x2 y1 y2
with identity element (0, 1). If ad is not a square in K, then the twisted Edwards addition law is strongly uniﬁed and complete: it can be used for both addition and doubling, and has no exceptional points. Additionally, when this is the case, the curve Ea,d has no singular points. These properties of Edwards curves have in the past proved valuable, and have been used for simpler implementations and protection against side channel attacks in various cryptographic protocols [6]. However, if ad is not a square, then Ea,d has only one point of order 2, namely (0, −1) [5, Theorem 3.1]. As we will see later, the SIDH protocol is based on the repeated computation of 2isogenies (with the private key deﬁned as a point of order 2k ). As such, a unique point of order 2 would compromise the scheme’s security, which means we must consider curves where ad is a square in K. In the next section, we consider the additional points that occur when ad is a square, and present curve embeddings that allow us to desingularize these points. In the case where ad is not a square, it is often useful to consider the dual addition law for Edwards curves: x1 y1 + x2 y2 x1 y1 − x2 y2 (x1 , y1 ) + (x2 , y2 ) → , . (2) y1 y2 + ax1 x2 x1 y2 − y1 x2
128
R. Azarderakhsh et al.
The addition law and dual addition law return the same value if both are deﬁned. Additionally, for any pair of points on a twisted Edwards curve, at least one of the two addition laws will be deﬁned. 1.2
Projective Curves and Completed Twisted Edwards Curves
If is a square in K, then there are points (x1 , y1 ), (x2 , y2 ) on the curve Ea,d for which (1 − dx1 x2 y1 y2 )(1 + dx1 x2 y1 y2 ) = 0 and the group law is not deﬁned. We can embed the curve into projective space, add new singular points at inﬁnity and generalize the group law to work for the new embedding, as is often done. We consider two representations of points on twisted Edwards curves, namely projective coordinates and completed coordinates. The projective twisted Edwards curve is deﬁned by aX 2 Z 2 + Y 2 Z 2 = Z 4 + 2 2 dX Y . The projective points are given by the aﬃne points, embedded as usual into P 2 by (x, y) → (x : y : 1), and two extra points at inﬁnity, (0 : 1 : 0) of order 4, and (1 : 0 : 0) of order 2. A projective point (X : Y : Z) corresponds to Y the aﬃne point (x, y) = ( X Z , Z ). Adding a generic pair of points takes 10M + 1S + 1A + 1D operations, and doubling takes 3M + 4S + 1A operations [5]. The completed twisted Edwards curve is deﬁned by the equation: a d
¯a,d := aX 2 T 2 + Y 2 Z 2 = Z 2 T 2 + dX 2 Y 2 E
(3)
1 The completed points are given by the aﬃne points embedded into P1 × P via (x, y) → ((x : 1), (y : 1)), and up to four extra points at inﬁnity, ((1 : 0), (± ad : √ 1)) and ((1 : ± d), (1 : 0)) [7]. The aﬃne equivalent of a completed point Y ((X : Z), (Y : T )) is given by (x, y) = ( X Z , T ). If P1 = ((X1 : Z1 ), (Y1 : T1 )) and P2 = ((X2 : Z2 ), (Y2 : T2 )), then the group law is deﬁned as follows:
X3 = X1 Y2 Z2 T1 + X2 Y1 Z1 T2 Z3 = Z1 Z2 T1 T2 + dX1 X2 Y1 Y2
X3 = X1 Y1 Z2 T2 + X2 Y2 Z1 T1 , Z3 = aX1 X2 T1 T2 + Y1 Y2 Z1 Z2 ,
Y3 = Y1 Y2 Z1 Z2 − aX1 X2 T1 T2 T3 = Z1 Z2 T1 T2 − dX1 X2 Y1 Y2
Y3 = X1 Y1 Z2 T2 − X2 Y2 Z1 T1 , T3 = X1 Y2 Z2 T1 − X2 Y1 Z1 T1 .
Hence we have X3 Z3 = X3 Z3 and Y3 T3 = Y3 T3 , with either (X3 , Z3 ) = (0, 0) and (Y3 , T3 ) = (0, 0) or (X3 , Z3 ) = (0, 0) and (Y3 , T3 ) = (0, 0). We set P1 + P2 = P3 , where P3 is either ((X3 : Z3 ), (Y3 : T3 )) or ((X3 : Z3 ), (Y3 : T3 )), depending on which of the above equations holds. With the identity point ((0 : 1)(1 : 1)), the above deﬁnes a complete set of addition laws for complete twisted Edwards curves. This result formalizes the combination of the aﬃne and dual addition law into a single group law. The following result from Bernstein and Lange in [7] allows us to categorize pairs of points for which each addition law is deﬁned: When computing the law fails exactly √ result of P + Q, the original addition when P − Q = ((1 : ± d), (1 : 0)) or P − Q = ((1 : 0), (± a/d : 1)). By the categorization of points of low even order from [5], the original addition law fails
EdSIDH: SIDH Key Exchange on Edwards Curves
129
when P − Q is a point at inﬁnity of order 2 or 4. In particular, the original addition law is always deﬁned for point doubling, as P − P = O, which has order 1. √ The dual addition law fails exactly when P − Q = ((1 : ± a), (0 : 1)) or P − Q = ((0 : 1), (±1 : 1)). In particular, the dual addition law fails exactly when P − Q is a point of order 1, 2 or 4 and is not a point at inﬁnity. We can use this categorization results to minimize the number of times we need to use the addition law for completed Edwards curves by considering order of the pairs of points involved in each section of the EdSIDH protocol. 1.3
Isogenies and Isogeny Computation
Isogenies are deﬁned as structure preserving maps between elliptic curves. They are given by rational maps between the two curves, but can be equivalently deﬁned by their kernel. If this kernel is generated by a point of order , then the isogeny is known as an isogeny. In [31], V´elu explicitly showed how to ﬁnd the rational functions deﬁning an isogeny for an elliptic curve in Weierstrass form, given the kernel F . The computation of isogenies of large degree can be reduced to the computation of smaller isogenies composed together, as described in [14]. For instance, consider computing an isogeny of degree e . We reduce it to e computations of degree isogenies by considering a point R ∈ E of degree e that generates the kernel. We start with E0 := E, R0 := R and iteratively compute Ei+1 = Ei /le−i−1 Ri , φi : Ei → Ei+1 , Ri+1 = φi (Ri ), using V´elu’s formulas to compute the isogeny at each iteration. 1.4
A review of IsogenyBased KeyExchange
Fix two small prime numbers A and B and an integer cofactor f , and let p be a large prime of the form p = eAA eBB f ± 1 for some integers eA , eB . Let E be a supersingular elliptic curve deﬁned over Fp2 which has group order (eAA eBB f )2 . All known implementations to date choose A = 2, B = 3 and f = 1, although other choices of A , B are possible. Public parameters consist of the supersingular elliptic curve E, and bases {PA , QA } and {PB , QB } of E[eAA ] and E[eBB ] respectively. During one round of keyexchange, Alice chooses two secret, random elements mA , nA ∈ Z/eAA Z, not both divisible by A , and computes an isogeny φA : E → EA with kernel KA := [mA ]PA , [nA ]QA . She also computes the image φA (PB ), φA (QB ) of the basis {PB , QB }. Similarly, Bob selects raneB Z, and computes an isogeny φB : E → EB with dom elements mB , nB ∈ Z/lB kernel KB := [mB ]PB , [nB ]QB , along with the points φB (PA ), φB (QA ). After receiving EB , φB (PA ), φB (QA ), Alice computes an isogeny φA : EB → EAB with kernel [mA ]φB (PA ), [nA ]φB (QA ). Bob proceeds similarly to obtain a curve EBA that is isomorphic to EAB . Alice and Bob then use as their shared secret the jinvariant common to EBA and EAB . For more about the key exchange based on isogenies, please refer to [14].
130
2
R. Azarderakhsh et al.
EdSIDH
In this section, we provide even and odd isogenies over Edwards curves and propose a new formulation for SIDH, which we call EdSIDH moving forward. Here, we use M, S, C to refer to the cost of a multiplication, squaring, and multiplication by a curve constant in Fp2 . We will also use R to refer to the cost of a square root, and I to the cost of an inversion. As is usually done, we ignore the cost of addition and subtraction as the cost is signiﬁcantly smaller than the cost of multiplication and inversion. 2.1
Odd Isogenies in Edwards Form
In [29], Moody and Shumow presented isogeny formulas for odd on Edwards curves. Let the subgroup F = (α, β) = {(0, 1), (±α1 , β1 ), . . . , (±αs , βs )} be the kernel of the desired isogeny, with = 2s + 1 and (α, β) a point of order on the curve Ed that generates F . Then ⎞ ⎛ xP +Q yP +Q ⎠ (4) ψ(P ) = ⎝ , yQ yQ Q∈F
Q∈F
s maps Ed to Ed , where d = B 8 d and B = i=1 βi . If d is not a square in K, the aﬃne addition law is deﬁned everywhere. Note that any odd isogeny from a curve with d not square maps to a curve with d not square, as for an odd d = B 8 d is a square if and only if d is a square. This implies that if we chain odd isogenies starting with the curve Ed with d not a square in K, then the aﬃne addition law will be deﬁned for any pair of points on any Edwards curve in the chain as they will all have a nonsquare coeﬃcient. The next proposition shows that the aﬃne addition law is deﬁned for all pairs of points in an odd isogeny computation even if d is not a square in K. Proposition 1. The aﬃne addition law is deﬁned for all point additions in the EdSIDH protocol. Proof. During the EdSIDH protocol, we need to evaluate each 3isogeny three times: on the current kernel point of order 3k for some k ≤ eA , and on Alice’s public points PA , QA of order 2A . When evaluating ψ(P ), we must compute P + Q for all Q ∈ F (note that all such Q’s have odd order). These are the only additions we need to do in order to compute an isogeny. We now consider a few cases that cover these additions. If P and Q both have odd order, then −Q also has odd order, and P − Q must have odd order as the order divides lcm(ord(P ), ord(Q)). Therefore, it cannot be equal to a point at inﬁnity as they have order either 2 or 4. Thus, by the categorization of exceptional points for the group law in Sect. 1.2, we can compute P + Q using the aﬃne addition law. Similarly, if P has even order 2A , we note that gcd(ord(P ), ord(−Q)) = 1 for all Q in the kernel of the 3 isogeny. Hence, we have that ord(P − Q) =
EdSIDH: SIDH Key Exchange on Edwards Curves
131
lcm(ord(P ), ord(−Q)) = lcm(ord(P ), ord(Q)). As ord(Q) is odd, this implies P − Q is not a point of order 2 or 4 (if ord(Q) = 1 =⇒ Q = O, then the aﬃne addition law is always deﬁned for P + Q). Thus, in all cases, we can use the original addition law to compute and evaluate a 3isogeny. We can use the aﬃne addition law to derive explicit coordinate maps for a isogeny with kernel F (where = 2s + 1):
s s y βi2 y 2 − αi2 x2 x βi2 x2 − αi2 y 2 , ψ(x, y) = B 2 i=1 1 − d2 αi2 βi2 x2 y 2 B 2 i=1 1 − d2 αi2 βi2 x2 y 2 Moody and Shumow also presented an isogeny formula for twisted Edwards curves. However, since each twisted Edwards curve is isomorphic to an Edwards curve, and the even isogeny formulas presented later output Edwards curves (with a = 1), one can use the isogeny formulas for Edwards curves (which are slightly faster to compute). 2.2
Even Isogenies in Edwards Form
In [29], Moody and Shumow presented Edwards curves isogenies formulas for isogenies with kernel {(0, 1), (0, −1)}. We generalize their work in two ways. First, we extend their formulas to work for 2isogenies on completed twisted Edwards curves with arbitrary kernels. Then we show how to calculate 4isogenies on Edwards curves. Finally, we consider methods for decreasing the computation cost for even isogenies in EdSIDH. Suppose we want to compute an isogeny with kernel P2 , where P2 is a point of order 2 on Ea,d . We follow an approach similar to that given in [14]. Since we already know how to calculate 2isogenies with kernel {(0, 1), (0, −1)}, we ﬁnd an isomorphism that maps P2 to (0, −1) and then use one of Moody’s [29] isogeny formulas. Proposition 2. There exists an isomorphism between complete twisted Edwards curves that maps a point P2 of order 2 to the point (0, −1). Proof. We construct the desired isomorphism as follows. An isomorphism ¯a,d and the Montgomery curve EA,B : between the complete Edwards curve E By 2 = x3 + Ax2 + x (in projective coordinates) is given in [7] by: (0 : 0 : 1) if ((X : Z), (Y : T )) = ((0 : 1), (−1 : 1)) φ : ((X : Z), (Y : T )) → ((T + Y )X : (T + Y )Z : (T − Y )X) otherwise ⎧ ⎪ ⎨((0 : 1), (1 : 1)) −1 φ : (U : V : W ) → ((0 : 1), (−1 : 1)) ⎪ ⎩ ((U : V ), (U − W : U + W ))
(U : V : W ) = (0 : 1 : 0) (U : V : W ) = (0 : 0 : 1) otherwise
132
R. Azarderakhsh et al.
4 A+2 A−2 where A = 2(a+d) (a−d) , B = (a−d) (and a = B , d = B ). This isomorphism maps the point (0, −1) to (0, 0), and vice versa. An isomorphism between Montgomery curves mapping any point (x2 , y2 ) of order 2 to (0, 0) and a point (x4 , y4 ) doubling to it to the point (1, . . .) is presented in [14, Eq. (15)]: x − x2 y , (5) φ2 : (x, y) → x4 − x2 x4 − x2 3x2 +A 2 2 3 The new curve has equation E : x4 B −x2 y = x + x4 −x2 x + x. Since φ, φ−1 , and φ2 are isomorphisms, φ−1 · φ2 · φ is also an isomorphism. Thus, we get an isomorphism mapping any point of order 2 to ((0 : 1)(−1 : 1)) ¯a,d . on E
The resulting curve has coeﬃcients a =
[x2 + 2x4 ](a − d) + 2(a + d) 4
d =
[5x2 − 2x4 ](a − d) + 2(a + d) , 4
where x2 and x4 are the xcoordinates of the point of order 2 and 4 on the Montgomery curve. These coordinates can be retained from the isogeny computation, and thus can be used here at no cost. The map (x, y) → ( x2 , y) maps the curve Ea ,d to the curve E4a ,4d , thus removing the inversion. The curve coeﬃcients can thus be calculated in 2M . By using projective coordinates, we can calculate this isomorphism in 14M operations. Mapping a completed point to the Montgomery curve takes 3M operations, and 2M operations if we only need the X, Z coordinates (as is the case for the points of order 2 and 4), for a total of 7M to map all points to the Montgomery curves. The isomorphism φ2 then takes 7M operations in projective coordinates, and the isomorphism back to an Edwards curve does not involve any addition. Thus, the total operations needed (ignoring addition and subtraction as is usually done) is 14M operations. To calculate an arbitrary 2isogeny of Edwards curves, we can ﬁrst use the isomorphism presented above, and then apply one of the three Edwards curve 2isogenies presented in [29]. 2isogenies on Edwards Curves. All 2isogeny equations given by Moody and Shumow [29] require the computation of a square root, which makes them illsuited to the SIDH framework, as many of them need to be calculated. However, when we know a point P8 of order 8 such that 4P8 = (0, −1), we can ﬁnd a square rootfree 2isogeny formula for Edwards curves. Consider a twisted Edwards curve Ea,d : ax2 + y 2 = 1 + dx2 y 2 . A birational transformation sending Ea,d to the curve E : y 2 = x3 + 2(a + d)x2 + (a − d)2 x is given by: 2(1 + y) 1+y , (a − d) φ1 : (x, y) → (a − d) 1−y x(1 − y)
EdSIDH: SIDH Key Exchange on Edwards Curves
133
By V´elu’s formulas [31], a 2isogeny on this curve with kernel {(0, 0), ∞} is given by: 2 x + (a − d)2 x2 − (a − d)2 ,y φ2 : (x, y) → x x2 The equation for the resulting curve is E : y 2 = x3 + 2(a + d)x2 − 4(a − d)2 x − 8(a + d)(a − d)2 Using one of the points of order 2 on this curve, we can map it to a curve of the form y 2 = x3 + ax2 + x. For instance, the point (2(a − d), 0) has order 2, and the transformation (x, y) → (x − 2(a − d), 0) maps the curve E to the curve E : y 2 = x3 − 4(d − 2a)x2 + 16(a − d)x Now, if we have a point of order 4 (r1 , s1 ), the map φ3 : (x, y) → 4r 3
s1 x x−r1 r1 y , x+r1
maps to the curve x2 + y 2 = 1 + d x2 y 2 , where d = 1 − s21 . 1 If we evaluate the point P8 of order 8 through the ﬁrst three maps, we obtain a point of order 4 on the curve E , since the 2isogeny brings 4P8 = (0, 0) to the identity point. Doing so, we can obtain explicit equations for a 2isogeny. Consider a point P8 = (α, β) of order 8 on the curve Ea,d (Note that P8 can be written in aﬃne form, as all singular points have order 2 or 4). Then we have that β 2 (a − d) β(a − d) ,8 (α1 , β1 ) = (−4 2 β −1 α(1 − β 2 ) is a point of order 4 on the curve y 2 = x3 − 4(d − 2a)x2 + 16(a − d)x. We obtain 4 2 . Thus, a 2isogeny mapping the curve Ea,d to the curve E1,d d = 1 + 4 β αβ 2(a−d) −1 is given by: xy x(β 2 − 1) + 4β 2 (a − d) , (x, y) → αβ x(β 2 − 1) − 4β 2 (a − d) In the SIDH keyexchange calculations, a point of order 8 will be known for all but the last two isogeny calculations, as we are calculating an isogeny with kernel generated by a point of order 2eA , with eA large. Recall that in the SIDH protocol, Alice selects an element RA = [mA ]PA + [nA ]QA of the elliptic curve E of order 2eA , which generates the kernel of the isogeny φA . She computes the isogeny iteratively, one 2 or 4 isogeny at a time. Consider one step in this process: is a point of order 2eA −k on the curve E , a kisogeny of the Suppose RA original curve E. For the next step in the iteration, Alice computes the points = 2eA −k−3 RA and 4RA = 2eA −k−1 RA . We have that 4RA is a point of order RA 2 on the curve E , with RA a point of order 8 above it. Thus, we can use these , as described above. points to calculate a 2isogeny with kernel 4RA
134
R. Azarderakhsh et al.
4isogenies on Edwards Curves. Let us assume we are given a twisted Edwards curve Ea,d and a point P4 on the curve of order 4. We want to calculate a 4isogeny on the curve with kernel generated by P4 , without knowing a point of order 8 that doubles to P4 . We can do so as √ follows: Use the isomorphism presented earlier to map P4 and 2P4 to ((1 : a ), (0 : 1)), ((0 : 1), (−1 : 1)) respectively, on some isomorphic curve Ea ,d . Then use the isomorphism (x, y) → ( √xa , y) to map the curve to E1, d . Finally, compose the following two a 2isogeny formulas of Moody and Shumow [29] to calculate the 4isogeny: (γ ∓ 1)y 2 ± 1 φ1 (x, y) → (γ ± 1)xy, (γ ± 1)y 2 ∓ 1 x 1 − d y 2 d ∓ ρ ρy 2 ± 1 , φ2 (x, y) → i(ρ ∓ 1) y 1 − d d ± ρ ρy 2 ∓ 1 ρ±1 2 2 ˆ that map E1,d to E1,d with d = ( γ±1 γ∓1 ) and E1,d to E1,dˆ with d = ( ρ∓1 ) , 2 2 2 where γ = 1 − d and ρ = d , i = −1 in K. Note that d is, by deﬁnition, a square in K and so the curve E1,d will have singular points and exceptions to the group law. Both isogenies have √ kernel {((0 : 1), (−1 : 1)), ((0 : 1), (1 : 1))} and the ﬁrst isogeny maps ((1 : a ), (0 : 1)) to ((0 : 1), (−1 : 1)), so √ the composition is well deﬁned as a 4isogeny with kernel generated by ((1 : a ), (0 : 1)). Composing the two equations for the curve coeﬃcient, we get:
dˆ =
ρ±1 ρ∓1
2 =
( γ±1 γ∓1 ) ± 1 ( γ±1 γ∓1 ) ∓ 1
2
=
(γ ± 1) ± (γ ∓ 1) (γ ± 1) ∓ (γ ∓ 1)
which costs one square root and one inversion. The value of i = be computed and stored ahead of time to evaluate 4isogenies.
3
2
√
−1 in K can
EdSIDH Arithmetic
Here we describe our explicit formulas for fast isogenies of degree 2, 3, and 4 for Edwards curves. 3.1
Point Multiplication by
Let P be a point on our curve and an integer, and suppose we want to compute P . By [5], we know that the aﬃne group law is always deﬁned for point doublings (even when d is a square in the ﬁeld K). To compute this, we can use a ladder algorithm, which takes n steps (where n is the number of bits of ), each consisting of a doubling and a point addition.
EdSIDH: SIDH Key Exchange on Edwards Curves
135
On a projective curve, we know from [6] that we can double a point by 3M + 4S, and adding arbitrary points takes 10M + 1S + 1C. On complete curves, doubling takes 5M + 4S + 1C, and addition takes 29M operations. 3.2
Computing 3isogenies
In the case where a = 1 and d is not a square in K, Moody and Shumow [29] presented a way to calculate a 3isogeny in projective form with kernel {(0, 0), (±A, B, 1)} at a cost of 6M + 4S + 3C. Generalizing to the case where P3 = (α, β, ζ) is a point of order 3 (with A = α/ζ, B = β/ζ), and we want to evaluate the 3isogeny with kernel P3 on a generic projective point (x, y, z), we get the following equations for the evaluation of the 3isogeny: ψ(x, y, z) = (xzγ 4 (β 2 x2 − α2 y 2 ), yzγ 4 (β 2 y 2 − α2 x2 ), β 2 (γ 4 z 4 − d2 x2 y 2 α2 β 2 ))) It takes 13M + 9S operations to compute ψ(x, y, z). If we are evaluating the isogeny at multiple points, we don’t need to recompute α2 , β 2 , γ 2 , γ 4 , d2 , thus bringing the cost to 13M + 4S for each additional point evaluation. We can compute the curve coeﬃcient d = β 8 d3 by computing β 8 = ((β 2 )2 )2 and d3 = d2 d for a total cost of 3S + 2M , or 4S + 2M if we didn’t evaluate the isogeny ahead of time. 3.3
Computing 2isogenies
Let us consider the 2isogeny equation presented in Sect. 2.2, where (α, β) is a point of order 8 on the curve Ea,d . xy x(β 2 − 1) + 4β 2 (a − d) (x, y) → , αβ x(β 2 − 1) − 4β 2 (a − d) We can compute it using 2I + 7M + 1S or I + 10M + 1S with a simultaneous inversion. Alternatively, we can deﬁne an equivalent version for completed Y A B coordinates by representing x = X Z , y = T , α = ZP , β = TP : ((X : Y ), (Z : T )) → ((XY ZP TP : ABZT ), (X(B 2 − TP2 ) + 4B 2 (a − d)Z : X(B 2 − TP2 ) − 4B 2 (a − d)Z)) Precomputing shared subexpressions allows us to compute this in 9M + 2S operations. Combined with the 14M operations for the isomorphism bringing any point of order 2 to (0, −1), we get a total of 23M + 2S operations. We could also compute this isogeny using projective coordinates, where x = X A B Z , y = Y, Z, α = Z0 , β = Z0 : (X : Y : Z) → (XY Z02 , X(B 2 − Z02 ) + 4B 2 Z(a − d), Z 2 A2 B 2 (X(B 2 − Z02 ) − 4B 2 Z(a − d)))
136
R. Azarderakhsh et al.
which can be computed in 7M + 3S operations. Combining this with the 14M operations for the isomorphism bringing any point of order 2 to ((0 : 1), (−1 : 1)) and the map ((X : Z), (Y : T )) → (XT, Y Z, T Z) (3M ) that embeds a completed point into a projective curve, we get a total cost of 24M + 3S (which is more expensive than using completed coordinates). 4 2 . This can be computed The curve coeﬃcient is given by d = 1 + 4 β αβ 2(a−d) −1 in 5M + 1I operations. Combining this with the 2M operations used to compute the curve coeﬃcients from the isomorphism, we get a total of 7M +1I operations. 3.4
Computing 4isogenies
Recall the 4isogeny formulas presented in the Sect. 2.2 (γ ∓ 1)y 2 ± 1 φ1 (x, y) → (γ ± 1)xy, (γ ± 1)y 2 ∓ 1 2 2 that maps E1,d to E1,d with d = ( γ±1 γ∓1 ) where γ = 1 − d, and x 1 − d y 2 d ∓ ρ ρy 2 ± 1 , φ2 (x, y) → i(ρ ∓ 1) y 1 − d d ± ρ ρy 2 ∓ 1 2 2 2 that maps E1,d to E1,dˆ with dˆ = ( ρ±1 ρ∓1 ) , where ρ = d , i = −1 in K. We can X Y rewrite these in P1 × P1 , writing x = Z , y = T as follows:
φ1 ((X, Z), (Y, T )) → (((γ ± 1)XY, ZT ), ((γ ∓ 1)Y 2 ± T 2 , (γ ± 1)Y 2 ∓ T 2 )) and φ2 ((X, Z), (Y, T )) → (((i(ρ ∓ 1)XT (T 2 − dY 2 ), Y ZT 2 (1 − d)), ((d ∓ ρ)(ρY 2 ± T 2 ), (d ± ρ)(ρY 2 ∓ T 2 ))) We can compute φ1 in 7M operations, and φ2 in 13M operations. √ Adding the cost of the isomorphism that brings our point of order 4 to ((1 : a ), (0 : 1)), we get a total cost of 34M to evaluate a 4isogeny. Due to the complete lack of symmetry between the x and y coordinates in both the φ1 and φ2 maps, using projective coordinates takes even more operations than using completed coordinates (for instance evaluating φ1 in projective coordinates would take 7M + 2S to compute). Hence, the fastest way to evaluate a 4isogeny with points on projective coordinates would be to embed them in the complete curve (no cost), evaluate the isogeny, and map them back to a projective curve via the map ((X : Z), (Y : T )) → (XT, Y Z, T Z) which takes 3M operations. The total cost is thus 37M operations. √ 2 1−d Calculating the curve coeﬃcient, given by ( (γ±1)±(γ∓1) (γ±1)∓(γ∓1) ) with γ = additionally requires 1R + 1I + 1S. Since computing 4isogenies is signiﬁcantly more expensive than computing 2isogenies due to the need to compute a square root, we propose using 2isogenies whenever a suitable point of order 8 is known. In practice, this means we will only compute one 4isogeny, at the very last iteration of isogeny computations.
EdSIDH: SIDH Key Exchange on Edwards Curves
4
137
EdSIDH Computation Cost
Here, we analyze the full complexity to use Edwards curves for SIDH. Notably, we look at the cost of the largedegree isogeny computations, based on the operation costs presented in Sect. 3. 4.1
Secret Kernel Generation
In SIDH, the secret kernel is generated from the doublepoint multiplication R = nP + mQ. However, as noted by [14], we can choose any such generator formula, including R = P + mQ. This formulation for a doublepoint multiplication greatly reduces the total cost of the doublepoint multiplication. In particular, [14] describes a 3point Montgomery diﬀerential ladder that can be used with Montgomery coordinates, at the cost of two diﬀerential point additions and one point doubling per step. FazHern´ andez et al. [16] recently proposed a righttoleft variant of the 3point ladder that only requires a single diﬀerential point addition and a single point doubling per step. Table 1. SIDH secret kernel generation cost per bit Scheme
Cost per bit
Kummer Montgomery [14] 9M + 6S Kummer Montgomery [16] 6M + 4S Edwards with Montgomery ladder Projective Edwards
13M + 5S + 1C
Complete Edwards
34M + 4S + 1C
Edwards with window method (k = 4) Projective Edwards
5.5M + 4.25S + 0.25C
Complete Edwards
12.25M + 4S + 1C
For EdSIDH, a 3point ladder is not necessary to perform R = P + mQ. We can ﬁrst perform the mQ computation and then simply ﬁnish with a point addition with P . Two options to compute the mQ computation are the standard Montgomery powering ladder [28] or the window approach [6]. The Montgomery ladder is a constant set of an addition and doubling for each step, whereas the window approach with a kbit window performs k point doublings and then an addition. In Table 1, we compare the relative costs per bit in the secret key for this doublepoint multiplication. Note that this cost per bit does not include the ﬁnal point addition for P + mQ as this operation is a constant cost. Thus, as we can see, there is a slight speed advantage with using projective Edwards curves with the Window method. We note that there are some security implications when using the window method instead of the Montgomery ladder, which we do not discuss here.
138
4.2
R. Azarderakhsh et al.
Secret Isogeny Computation
The second part of the SIDH protocol involves a secret isogeny walk based on the secret kernel. In this computation we chain isogenies of degree with kernel points e−i−1 Ri . To eﬃciently calculate these kernel representations, we used the combinatorics strategy from [14]. By using pivot points to traverse a oneway acyclic graph, we can create an optimal strategy that represents the least cost to compute the largedegree isogeny. To evaluate our EdSIDH formulas against the known Montgomery formulas, we computed the costs of our point multiplication by and isogeny evaluation by . Based on the relative cost, we computed an optimal strategy based on the algorithm from [14]. We used this to calculate the total cost of a largedegree isogeny for our Edwards isogeny formulas as well as the Montgomery formulas from previous works. Table 2 compares the cost of various isogeny and elliptic curve operations and Table 3 represents the full and normalized cost of a largedegree isogeny for the primes listed. We chose the primes p503 = 2250 3159 − 1 and p751 = 2372 3239 − 1 which have a quantum security of 83 and 124 bits, respectively. As these tables show, Edwards arithmetic is a fair bit slower than Montgomery arithmetic. Largedegree isogenies with base degree 2 or 3 appear to be 2–3 times slower and base degree 4 isogenies are about 10 times slower when comparing Edwards to Montgomery. Interestingly, isogenies of degree 3 appear to be more eﬃcient than isogenies of degree 2 for Edwards curves. Table 2. Aﬃne isogeny formulas vs. projective isogenies formulas. For the ﬁrst column, the isogeny computations follow the form: 2P for point doubling, 2coef for ﬁnding a new isogenous curve of degree 2, and 2pt for pushing an point through an isogeny of degree 2. For this work’s columns, the ﬁrst column is for projective Edwards coordinates and the second column is for completed Edwards coordinates. Iso. Comp. Aﬃne Mont. [14] Proj. Mont. [12] Aﬃne Ed. (this work) Proj. Complete 2P
3M + 2S

3M + 4S
5M + 4S + C
2coef
I + 4M + S + C

I + 7M
I + 7M
2pt
2M + 1S

24M + 3S
23M + 2S
3P
7M + 4S
7M + 5S
13M + 5S + C 
3coef
I + 4M + S + C
2M + 3S
2M + 4S

3pt
4M + 2S
4M + 2S
13M + 9S

4P
6M + 4S
8M + 4S
6M + 8S
10M + 8S + 2C
4coef
I + 2M + C
4S
R+I +S
R+I +S
4pt
6M + S
6M + 2S

34M
EdSIDH: SIDH Key Exchange on Edwards Curves
139
Table 3. Normalized complexities for a largedegree isogeny computation for diﬀerent coordinate schemes. We found the total cost of a largedegree isogeny for the formulas in Table 2 over isogenies with base 2, 3, and 4. We then converted these costs from quadratic extension ﬁeld arithmetic to the number of multiplications in the base prime ﬁeld for easy comparison. Notably, we assumed that SIDH arithmetic is in Fp2 with irreducible modulus x2 + 1 (as is the case in known implementations) for eﬃcient com˜ ), where Fp2 operations putations. These are the total number of Fp multiplications (M ˜ ˜ ˜ ˜ , and C = 2M ˜. are converted as follows: R = 22log2 pM , I = 10M , M = 3M , S = 2M We assumed an inversion was performed with extended Euclidean algorithm and the square root required two large exponentiations. Largedegree isogeny Aﬃne Mont. [14] Proj. Mont. [12] Aﬃne Ed. (this work) Proj. Complete 250 ˜ ˜ ˜ 2 27102M 87685M 97841M ˜ ˜ ˜ 3159 29686M 28452M 65355M 4125 372
2
239
3
186
4
5
˜ 22617M ˜ 42516M
˜ 24126M
˜ 47650M ˜ 36118M
˜ 45864M ˜ 38842M

˜ 191278M ˜ 181582M ˜ 155450M ˜ 140454M ˜ 105469M ˜ 384732M ˜ 385756M
Conclusions and Future Work
In this paper, we investigated employing Edwards curve for the supersingular isogeny DiﬃeHellman key exchange protocol and provided the required arithmetic and complexity analyses. Edward curves are attractive in the sense that they provide extra security beneﬁts by having complete and uniﬁed addition formulae, which are not oﬀered by Weierstrass and Montgomery forms. Furthermore, we have seen that there are simple and elegant odd isogenies for Edwards curves. We note that an EdSIDH protocol with two odd primes would preserve a nonsquare curve coeﬃcient and the completeness of the (simple) curve Ed for every isogeny computation. Because of this and the simple and fast formulas for odd isogenies presented, we suggest that Edwards curves would be a good choice for an oddprimes only implementation of SIDH. Moving forward, we encourage cryptographic implementers to further investigate the performance of EdSIDH proposed in this paper for a fair and proper comparison to their counterparts. Integration of these formulas into SIKE [18] and staticstatic SIDHlike schemes [3] could also be interesting. Lastly, we will be following advances in sidechannel attacks on isogenybased schemes, such as those proposed in [20,21], to see if our scheme will provide additional defense against such methods. Acknowledgement. The authors would like to thank the reviewers for their comments. This work is supported in parts by awards NIST 60NANB16D246, NIST 60NANB17D184, and NSF CNS1801341. Also, this research was undertaken thanks in part to funding from the Canada First Research Excellence Fund, Natural Sciences
140
R. Azarderakhsh et al.
and Engineering Research Council of Canada, CryptoWorks21, Public Works and Government Services Canada, and the Royal Bank of Canada.
References 1. Azarderakhsh, R., Fishbein, D., Jao, D.: Eﬃcient implementations of a quantumresistant keyexchange protocol on embedded systems. Technical report (2014) 2. Azarderakhsh, R., Jao, D., Kalach, K., Koziel, B., Leonardi, C.: Key compression for isogenybased cryptosystems. In: Proceedings of the 3rd ACM International Workshop on ASIA PublicKey Cryptography, AsiaPKC 2016, pp. 1–10. ACM, New York (2016) 3. Azarderakhsh, R., Jao, D., Leonardi, C.: Postquantum staticstatic key agreement using multiple protocol instances. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 45–63. Springer, Cham (2018). https://doi.org/10.1007/9783319725659 3 4. Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted Edwards curves. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 389– 405. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540681649 26 5. Bernstein, D.J., Birkner, P., Lange, T., Peters, C.: ECM using Edwards curves. Math. Comp. 82(282), 1139–1179 (2013) 6. Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 29–50. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540769002 3 7. Bernstein, D.J., Lange, T.: A complete set of addition laws for incomplete Edwards curves. J. Number Theory 131(5), 858–872 (2011). Elliptic Curve Cryptography 8. Charles, D., Lauter, K., Goren, E.: Cryptographic hash functions from expander graphs. J. Cryptol. 22(1), 93–113 (2009) 9. Chen, L., et al.: Report on postquantum cryptography. Technical report, National Institute of Standards and Technology (NIST) (2016) 10. Costache, A., Feigon, B., Lauter, K., Massierer, M., Puskas, A.: Ramanujan graphs in cryptography. Cryptology ePrint Archive, Report 2018/593 (2018) 11. Costello, C., Longa, P., Naehrig, M.: Eﬃcient algorithms for supersingular isogeny DiﬃeHellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662530184 21 12. Costello, C., Hisil, H.: A simple and compact algorithm for SIDH with arbitrary degree isogenies. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 303–329. Springer, Cham (2017). https://doi.org/10.1007/9783319706979 11 13. Costello, C., Jao, D., Longa, P., Naehrig, M., Renes, J., Urbanik, D.: Eﬃcient compression of SIDH public keys. In: Coron, J.S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 679–706. Springer, Cham (2017). https://doi.org/10. 1007/9783319566207 24 14. De Feo, L., Jao, D., Plˆ ut, J.: Towards quantumresistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014) 15. Edwards, H.M.: A normal form for elliptic curves. In: Bulletin of the American Mathematical Society, pp. 393–422 (2007) 16. FazHern´ andez, A., L´ opez, J., OchoaJim´enez, E., Rodr´ıguezHenr´ıquez, F.: A faster software implementation of the supersingular isogeny DiﬃeHellman key exchange protocol. IEEE Trans. Comput. (2018, to appear)
EdSIDH: SIDH Key Exchange on Edwards Curves
141
17. Jalali, A., Azarderakhsh, R., MozaﬀariKermani, M., Jao, D.: Supersingular isogeny DiﬃeHellman key exchange on 64bit ARM. IEEE Trans. Dependable Secur. Comput. I: Regul. Pap. (2017) 18. Jao, D., et al.: Supersingular isogeny key encapsulation. Submission to the NIST PostQuantum Standardization Project (2017) 19. Kim, S., Yoon, K., Kwon, J., Hong, S., Park, Y.H.: Eﬃcient isogeny computations on twisted Edwards curves. Secur. Commun. Netw. (2018) 20. Koziel, B., Azarderakhsh, R., Jao, D.: An exposure model for supersingular isogeny DiﬃeHellman key exchange. In: Smart, N.P. (ed.) CTRSA 2018. LNCS, vol. 10808, pp. 452–469. Springer, Cham (2018). https://doi.org/10.1007/9783319769530 24 21. Koziel, B., Azarderakhsh, R., Jao, D.: Sidechannel attacks on quantumresistant supersingular isogeny DiﬃeHellman. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 64–81. Springer, Cham (2018). https://doi.org/10. 1007/9783319725659 4 22. Koziel, B., Azarderakhsh, R., Jao, D., MozaﬀariKermani, M.: On fast calculation of addition chains for isogenybased cryptography. In: Chen, K., Lin, D., Yung, M. (eds.) Inscrypt 2016. LNCS, vol. 10143, pp. 323–342. Springer, Cham (2017). https://doi.org/10.1007/9783319547053 20 23. Koziel, B., Azarderakhsh, R., MozaﬀariKermani, M.: Fast hardware architectures for supersingular isogeny DiﬃeHellman key exchange on FPGA. In: Dunkelman, O., Sanadhya, S.K. (eds.) INDOCRYPT 2016. LNCS, vol. 10095, pp. 191–206. Springer, Cham (2016). https://doi.org/10.1007/9783319498904 11 24. Koziel, B., Azarderakhsh, R., MozaﬀariKermani, M.: A highperformance and scalable hardware architecture for isogenybased cryptography. IEEE Trans. Comput. PP(99), 1 (2018) 25. Koziel, B., Azarderakhsh, R., MozaﬀariKermani, M., Jao, D.: Postquantum cryptography on FPGA based on isogenies on elliptic curves. IEEE Trans. Circ. Syst. I: Regul. Pap. 64, 86–99 (2017) 26. Koziel, B., Jalali, A., Azarderakhsh, R., Jao, D., MozaﬀariKermani, M.: NEONSIDH: eﬃcient implementation of supersingular isogeny DiﬃeHellman key exchange protocol on ARM. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 88–103. Springer, Cham (2016). https://doi.org/10.1007/9783319489650 6 27. Meyer, M., Reith, S., Campos, F.: On hybrid SIDH schemes using Edwards and Montgomery curve arithmetic. Cryptology ePrint Archive, Report 2017/1213 (2017) 28. Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48, 243–264 (1987) 29. Moody, D., Shumow, D.: Analogues of V´elu’s formulas for isogenies on alternate models of elliptic curves. Math. Comp. 85(300), 1929–1951 (2016) 30. Valyukh, V.: Performance and comparison of postquantum cryptographic algorithms. Master’s thesis, Linkoping University (2017) 31. V´elu, J.: Isog´enies entre courbes elliptiques. C. R. Acad. Sci. Paris S´er. AB 273, A238–A241 (1971) 32. Yoo, Y., Azarderakhsh, R., Jalali, A., Jao, D., Soukharev, V.: A postquantum digital signature scheme based on supersingular isogenies. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 163–181. Springer, Cham (2017). https://doi.org/10. 1007/9783319709727 9
Correlation Power Analysis on KASUMI: Attack and Countermeasure Devansh Gupta1(B) , Somanath Tripathy1 , and Bodhisatwa Mazumdar2 1
Indian Institute of Technology Patna, Patna 801106, India
[email protected],
[email protected] 2 Indian Institute of Technology Indore, Indore, India
[email protected]
Abstract. The KASUMI block cipher imparts conﬁdentiality and integrity to the 3G mobile communication systems. In this paper we present power analysis attack on KASUMI as a twopronged attack: ﬁrst the F L function is targeted, and subsequently the recovered output of F L function is used to mount attack on 7×7 and 9×9 Sboxes embedded in the F O function of the cipher. Our attack recovers all 128 bits of the secret key of KASUMI. Further, we present a countermeasure for this attack which requires lesser resource footprint as compared to existing countermeasures, rendering such implementations practically feasible for resourceconstrained applications, such as IoT and RFID devices. Keywords: Side channel attack · Power analysis attack Correlation power analysis · KASUMI block cipher
1
Introduction
Mobile Phones are very popular nowadays and have become a crucial part of our everyday life. In some applications, they complement traditional computing devices, such as laptops. Due to this massive popularity of mobile devices, security in mobile communication is very important. In this respect, the 3rd generation partnership project (3GPP) based technologies have been constantly evolving through generations of commercial cellular or mobile systems. Since the completion of longterm evolution (LTE), 3GPP has become focal point for mobile systems beyond 3G. To ensure data conﬁdentiality and data integrity of the users in 3GPP technology [25] a 64bit block cipher called KASUMI [15] is used. Therefore, security of a 3GPP based mobile network depends on the security of the underlying KASUMI block cipher. Further, security of GSM (Global System for Mobile Communications) and the second generation (2G) mobile cellular system relies on A5/3, which is also based on KASUMI block cipher. In existing literature, the modes of operation in KASUMI are provably secure if KASUMI is a pseudorandom permutation (PRP) and it is also secured in diﬀerentialbased related key attacks [10]. Meanwhile, an impossible diﬀerential attack [13] and a related key diﬀerential attack was performed on a 6round c Springer Nature Switzerland AG 2018 A. Chattopadhyay et al. (Eds.): SPACE 2018, LNCS 11348, pp. 142–156, 2018. https://doi.org/10.1007/9783030050726_9
Correlation Power Analysis on KASUMI: Attack and Countermeasure
143
version of KASUMI [5]. Also, a related key rectangle attack on an entire 8round version of KASUMI is demonstrated in [3]. The attack required 254.6 chosen plaintexts encrypted with four related keys, and has time complexity of 276.1 encryptions. Further, a related key boomerang distinguisher was also presented. This result showed that the strength of KASUMI against classical cryptanalysis attacks is crucial to the security of the mobile data transfer between the mobile device and the base station that may render attacks such as channel hijack attacks. All these attacks comprise classical cryptanalysis where the attackers perform a theoretical security analysis of the underlying cryptographic primitive. A cryptographic system is assumed to be a perfect black box; an attacker gains no extra information apart from the plaintext and ciphertext during a cryptographic operation. However, whenever a cryptographic algorithm is implemented in hardware, information about the embedded secret key of the device is leaked through physical sidechannels. A sidechannel may be in terms of power consumption of the device, temperature variance or time taken to run the algorithm. If this information is related to the secret key then it can be exploited to perform attack on the algorithm. Power Analysis attack [12] is a form of side channel attack [26] introduced by Kocher, Jaﬀe and Jun. It relies on the fact that diﬀerent operations incur diﬀerent power consumption depending on the data on which the operation is being performed. The power analysis attack assumes that the power consumed by a device is related to the intermediate values in the algorithm. Hence if the intermediate values have a relation to the secret key then this fact can be exploited to obtain the secret key. Another power analysis attack model was introduced named Correlation Power Analysis attack [6] in which a power consumption model is created for the encryption process and then the predicted power is correlated to the actual power and the highest peak of correlation plot gives the correct key. Correlation power analysis (CPA) attack works in the following way: – For a uniformly random set of plaintexts or ciphertexts, obtain the corresponding power traces. – Select the intermediate value (the intermediate value is a function of the secret key embedded in the device and input plaintext or round input) of the algorithm’s output to attack. – Guess a subkey and ﬁnd the intermediate value according to the subkey. – Model the power consumption for the subkey depending on the intermediate value of a round, and compute the correlation of the power consumption from the model with that of the original trace. – The subkey yielding the highest correlation value is the correct subkey. The existing literature is populated with countermeasures [7,8,16,20] against power analysis attacks. However, most of them focused on AES depicting that its software and hardware implementations are vulnerable against power analysis attacks. Subsequently, multiple countermeasures were proposed against these attacks, and later broken. This paper aims to perform the CPA attack on KASUMI block cipher. To the best of our knowledge, security vulnerabilities of implementation of KASUMI
144
D. Gupta et al.
based on power analysis attacks, has been scarcely examined, and that too on idealized hardware model without noise, thereby leading to ideal power traces [14]. Such a noiseindependent hardware implementation are very expensive to meet in practice. Our proposed attack can recover the complete key by exploiting a weakness in the key scheduling algorithm of KASUMI. Further, we propose an eﬃcient countermeasure technique to mitigate such attacks using minimal additional hardware resources. The rest of the work is organized as follows. Next section discusses precisely the existing work. The block cipher KASUMI is brieﬂy discussed in Sect. 4. Section 5 discusses the proposed attack technique and we present the mitigation technique in Sect. 6. Section 7 discusses the eﬀectiveness of the proposed attack and mitigation approach. Finally, the conclusion is drawn in Sect. 8.
2
Related Works
In literature, lightweight hardware implementations of KASUMI block cipher exist that apply to standard architectures such as 3GPP [22]. The KASUMI block cipher has been analyzed with respect to classical cryptanalysis attacks such as related key attacks [17]. In A5/3 algorithm, the KASUMI block cipher employs a 64bit session key, wherein multiple related key attacks that failed for larger versions of KASUMI block cipher, are found eﬀective in yielding information about the round keys. Further, impossible diﬀerential attacks were mounted on the last 7 rounds of KASUMI for 128bit session key [11]. Moreover, higher order diﬀerential attacks on KASUMI has also been examined [23] that employs linearizing attack on a reduced 5round KASUMI block cipher. In existing literature, Diﬀerential fault analysis attack (DFA) [25] has been proposed on KASUMI. The DFA attack [25] states that only one 16bit word fault is enough for a successful key recovery attack. However, there are limited analysis of resilience of KASUMI against power analysis attacks. The power analysis attack has so long been emphasized on Advanced Encryption Standard (AES), and many countermeasures [7,8,16,20] have been proposed for power analysis attacks on this cipher. All proposed countermeasures attempt to mitigate the relation between the key and power consumed. Such countermeasures can be applied to KASUMI as well. Masking is one of the most commonly used countermeasure against power analysis attack. Masking [4] involves hiding the intermediate value with some other random value. It is of two types: boolean and arithmetic. In boolean masking the intermediate value is XORed with the random mask whereas in arithmetic masking the random value is modulo added or multiplied to the intermediate value. In this way the intermediate value appears independent of the data and power traces cannot be correlated to the secret key. In ﬁrst order countermeasure a randomized mask value can prevent the information leakage of the secret key in the power traces. The mask can randomize the intermediate data values on algorithmic level [1,7], at gate implementation level [9,24], or a combination of circuit implementation approaches [19].
Correlation Power Analysis on KASUMI: Attack and Countermeasure
145
When implemented, masking is a very slow operation. Some commonly used masking schemes are Sbox masking and High Order Masking. Sbox masking involves hiding the Sbox operations. Masking Sbox is diﬃcult due to its high nonlinearity and all masked values must eventually be unmasked to restore the correct ciphertext. It is also a very slow operation reducing the speed of the system by at least half. Rotating Sbox masking [16] is one of the methods of Sbox masking. This scheme [16] uses Rotating Masked Sboxes. Fixed numbers of precomputed constant masks are used and customized SBoxes are used which get a masked input. The SBox unmasks the input and then performs the subbytes operation and remasks the output with another constant for the next round. But the Sboxes are stored in RAM/ROM to prevent information leakage in logic gates. High order masking [21] involves using higher number of masks per keydependent variable. This prevents higher order DPA which extracts the information of the intermediate values by comparing the intermediate values that share the same mask. But due to a large number of masks the complexity of using high order masking is very high.
3 3.1
Power Analysis Attack Diﬀerential Power Analysis Attack
Diﬀerential power analysis attack [18] (DPA) uses statistical analysis to guess the secret key. The steps of DPA attack are as follows: – Selection function D(C, b, Ks ) computes value of target bit b, given ciphertext C and subkey guess Ks . It depends on the function that computes the targeted intermediate value. – m power traces are collected of k samples each namely T1:m [1 : k] along with the corresponding ciphertext values C1:m . – The power traces are then sorted into two groups corresponding to the value of D(C, b, Ks ) is 0 or 1. – The average of the two sets are taken namely P (1) and P (0). – The diﬀerence between P (0) and P (1) is taken and let it be called as ΔD. – If the key guess was correct then ΔD shall contain spikes in the region where the correct operation is performed, else the trace of ΔD shall have no spikes with amplitude values close to zero. 3.2
Correlation Power Analysis Attack
Correlation power analysis attack [20] is an extension of DPA attack, in which, a model of power consumption is created in the analysis phase. Then power consumption is predicted using the model created. The correlation is found between the observed power trace and predicted trace. The highest peak of the correlation plot gives the correct key hypothesis. In AES, CPA is performed for each of the 16 bytes of the key. The models for power consumption can be one of the following:
146
D. Gupta et al.
– Hamming Weight Model: This model assumes that the power consumed is proportional to the number of bits that are logic 1 during the operation. – Hamming Distance Model: It assumes that the power consumption is due to the logic transition of bits. Precisely, if a bit is 0 or 1 during the whole operation, it does not contribute to the power, but if the bit changes from 0 to 1 or from 1 to 0, it consumes the same power. The steps of CPA are as follows: – Power traces are collected for the encryption along with the corresponding plaintexts or ciphertexts. – A power consumption model is assumed. – A key byte is guessed and the intermediate value to be attacked is calculated using the guessed key. – Hamming weight of the intermediate value is calculated and power is predicted. – Correlation is calculated for the predicted power and actual power consumed. – The highest correlation peak gives the correct key. The correlation factor is calculated using the below formula: N Wi Hi,R − Wi Hi,R ˆ ρWH (R) = 2 −( N Wi2 − ( Wi )2 N Hi,R Hi,R )2 In the formula, N is the number of power traces, Wi is the power consumed at time i and Hi,R is the predicted Hamming Distance at time i.
4
KASUMI Block Cipher
KASUMI is an eight round block cipher with 128 bit key; the input and output comprise 64 bits each. The complete structure of KASUMI is shown in Fig. 1. Each round uses eight 16bit sub keys derived from original key using key scheduling algorithm. Also, each round has two functions, namely, F L and F O. In even numbered rounds F O precedes F L, while F L precedes F O in odd numbered rounds. F L and F O both take a 32bit input and provide the corresponding 32bit output. This work uses the following notations. L and R are 32bit inputs (each) to the ﬁrst round. XL is the input to F L function. KL is the key used in F L function. The input to F O is denoted as XO. XOi,l and XOi,r (1 ≤ i ≤ 8) represent the left and right 16 bits of XO in round i, respectively. KO denotes the key used in F O function. XIi,j denotes the input to the F I function in j th subround of F O function, which is present in the ith round of KASUMI. KI denotes the key used in F I function. S9 and S7 denotes the 9 × 9 and 7 × 7 Sboxes, respectively.
Correlation Power Analysis on KASUMI: Attack and Countermeasure
147
Fig. 1. KASUMI structure; the odd numbered rounds comprise F L function followed by F O function, while the even numbered rounds comprise F O function followed by F L function. In functions F L, F O, and F I, the indices i and j in round keys KLi,j , KOi,j , and KIi,j indicate the round number and subround number, respectively.
4.1
Function F L
Figure 1(c) shows the F L function which takes a 32 bit input XL that is divided into two 16 bit halves, XLi,l and XLi,r . Subscript i denotes the ith round, i.e., (1 ≤ i ≤ 8). The output of F L function is Y Li,l and Y Li,r . Y Li,l and Y Li,r are derived as follows: Y Li,r = ((XLi,l ∧ KLi,1 ) ≪ 1) ⊕ XLi,r . Y Li,l = ((Y Li,r ∨ KLi,2 ) ≪ 1) ⊕ XLi,l . where, ∧ denotes bitwise AND and ∨ denotes bitwise OR. Also a ≪ b denoted a rotated left by b bits. Now the output Y L from F L function goes as input to the F O function.
148
4.2
D. Gupta et al.
Function F O
The structure of the F O function is shown in Fig. 1(b). F O comprises 3 rounds, each round has an F I function. F O takes a 32 bit input, XO. The input is divided into two 16bit halves, XOi,l and XOi,r . The subscript i denotes the ith round. Let lj and rj denote the left and right output to the j th round of F O function. These outputs of F O are calculated as follows: l0 = XOi,l , r0 = XOi,r rj = F I(KIi,j , lj−1 ⊕ KOi,j ) ⊕ rj−1 lj = rj−1 The output of the F O function is denoted by Y O. Y O = l3  r3 , where  denotes concatenation. 4.3
Function F I
Figure 1(d) shows the function F I. The input comprises 32bit, XIi,j . The F I function performs two Sbox operations, which comprises a 9 × 9 Sbox, S9, and a 7 × 7 Sbox, S7. Let the input to F I function be denoted as l0 and r0 . l0 represents the most signiﬁcant 9 bits of XIi,j and r0 represents the least signiﬁcant 7 bits of XIi,j . The next r1 and l1 are calculated as follows: r1 = S9(l0 ) ⊕ (00  r0 ) l1 = S7(l0 ) ⊕ r1 [6 : 0] where, r1 [6 : 0] indicates seven least signiﬁcant bits of r1 . Subsequently, r1 and l1 are XORed with KI to get the values of l2 and r2 , which will be further input to Sboxes. 0−8 l2 = r1 ⊕ KIi,j 9−15 r2 = l1 ⊕ KIi,j
Finally the ﬁnal output l3 and r3 are computed as follows: r3 = S9(l2 ) ⊕ (00  l2 ) l3 = S7(l2 ) ⊕ r3 [6 : 0] where r3 [6 : 0] denotes seven least signiﬁcant bits of r3 . The ﬁnal output Y Ii,j is l3  r3 . 4.4
Key Scheduling
KASUMI uses 128 bit key denoted by K, which is subdivided into eight 16bit subkeys Ki . Another key is used in KASUMI known as K , which is derived by K ⊕ 0x0123456789ABCDEF F EDCBA9876543210. Each round has 8 round
Correlation Power Analysis on KASUMI: Attack and Countermeasure
149
Table 1. KASUMI key scheduling Round KLi,1
KLi,2 KOi,1
KOi,2
KOi,3
KIi,1 KIi,3 KIi,3
1
k1 ≪ 1 k’3
k2 ≪ 5 k6 ≪ 8 k7 ≪ 13 k’5
k’4
k’8
2
k2 ≪ 1 k’4
k3 ≪ 5 k7 ≪ 8 k8 ≪ 13 k’6
k’5
k’1
3
k3 ≪ 1 k’5
k4 ≪ 5 k8 ≪ 8 k1 ≪ 13 k’7
k’6
k’2
4
k4 ≪ 1 k’6
k5 ≪ 5 k1 ≪ 8 k2 ≪ 13 k’8
k’7
k’3
5
k5 ≪ 1 k’7
k6 ≪ 5 k2 ≪ 8 k3 ≪ 13 k’1
k’8
k’4
6
k6 ≪ 1 k’8
k7 ≪ 5 k3 ≪ 8 k4 ≪ 13 k’2
k’1
k’5
7
k7 ≪ 1 k’1
k8 ≪ 5 k4 ≪ 8 k5 ≪ 13 k’3
k’2
k’6
8
k8 ≪ 1 k’2
k1 ≪ 5 k5 ≪ 8 k6 ≪ 13 k’4
k’3
k’7
keys. The round keys are labeled as KLi,1 , KLi,2 , KOi,1 , KOi,2 , KOi,3 , KIi,1 , KIi,2 and KIi,3 . The round keys are derived using key scheduling algorithm as shown in Table 1. ki denotes the ith 16bit subkey derived from K, and ki denotes the ith 16bit subkey derived from K . In this notation, a ≪ b denotes a rotated left by b bits and a⊕b denotes bitwise XOR operation between a and b.
5
Proposed Power Analysis Attack on KASUMI
In this section, we present the proposed attack against KASUMI to recover the round keys, which can be subsequently used to obtain the secret key due to the weak key scheduling of KASUMI. 5.1
Overview of the Attack
The main goal of this attack is to obtain all the 8 subkeys, by exploiting the Sbox operation of KASUMI in F O function, i.e., the key values of KIi,j and KOi,j , that are derived from k1 , . . . , k8 , and k1 , . . . , k8 in Table 1. However, ki , 1 ≤ i ≤ 8, can be obtained from ki from the following set of equations: k1 = k1 ⊕ 0x0123 k2 = k2 ⊕ 0x4567 k3 = k3 ⊕ 0x89AB k4 = k4 ⊕ 0xCDEF k5 = k5 ⊕ 0xF EDC k6 = k6 ⊕ 0xBA98 k7 = k7 ⊕ 0x7654 k8 = k8 ⊕ 0x3210
150
D. Gupta et al.
So, a powerbased sidechannel adversary targets the key bytes, k1 , k2 , . . ., k8 , only. We observe that one can obtain these key bytes by attacking the ﬁrst round F O function. However, mounting power analysis attack on the ﬁrst round F O function requires the input to the F O function. From Fig. 1, the input to the ﬁrst round F O function is the output of the ﬁrst round F L function. The sidechannel adversary can select the plaintext as input to the ﬁrst round F L function. By recovering KL1 , he can obtain the output of the F L function. Further, he can use this output to attack the corresponding F O function and get the abovementioned subkeys. Therefore, our proposed attack executes as follows: Step 1: Sub keys k1 and k3 are ﬁrst obtained by attacking the F O function in the last round of KASUMI. The input to the F O function in last round is the least signiﬁcant 32 bits of ciphertext. Step 2: KL for the ﬁrst round is calculated using the subkeys k1 and k3 obtained in Step 1. Step 3: Since L is known (as it is the plaintext), and from the value of KL calculated in the previous step, the output of F L function is computed. The output of F L function is XO. Step 4: Now the XO from the previous step is used to mount an attack the F O function in the ﬁrst round to obtain all the remaining subkeys. Step 5: Finally, all the extracted subkeys are combined to obtain the secret key. 5.2
Extracting Subkeys of First Round F L
We know that the input to the ﬁrst round F L function is the plaintext. Now the key used in the ﬁrst round F L function is KL1 . KL1 is derived from k1 and k3 . So we need to somehow obtain the subkeys k1 and k3 . If we successfully get the keys we can get the output of the F L function and mount an attack on the ﬁrst round F O function. Again from the KASUMI structure, we can observe that the last round F O function involves the subkeys k1 and k3 , which are precisely the subkeys that we want to recover. As mentioned earlier, we can attack the Sbox in the F O function to obtain the corresponding subkeys. Hence we need to attack the last round F O function to obtain the subkeys k1 and k3 to perform the attack mentioned in Subsect. 3.2.1 and obtain all the other subkeys. 5.3
Attacking the Last Round F O Function
The input to the last round F O function is the ciphertext. Using this input we will perform the power analysis attack on the last round F O function as mentioned below to obtain the subkeys k1 and k3 . The following are the steps to mount an attack on F O function in the last round. The input to the last round F O function (XO8 ) is least signiﬁcant 32 bits of ciphertext. The following steps are adopted to mount attack on any F O function.
Correlation Power Analysis on KASUMI: Attack and Countermeasure
151
Step 1: The 16bit left part of XO is computed and denoted as XO8,l . Step 2: All 29 combinations are guessed for the ﬁrst 9 bits of KO8,1 . Each of the 9bit key value is XORed with the ﬁrst 9 bits of XO8,l . The output after XOR is denoted as XIl9 (In this notation, 9 in l9 denotes the ﬁrst 9 bits of XIl ). Subsequently, the output of S9 for each XIl9 is computed, and the Hamming weight model based correlation power analysis attack is computed on this output. The 9bit key value which gives the highest correlation is considered to be the correct ﬁrst 9 bits of KO8,1 . This step is again repeated for the last 7 bits of XO8,l to get the last 7 bits of KO8,1 . Step 3: After obtaining the correct value of KO8,1 from the previous attack, the correct value of XI8,1 is computed. From this value of XI8,1 , step 2 is repeated to mount an attack on the second S9 and S7 of the F I function to get the correct key bits of KI8,1 . Step 4: Steps 2 and 3 are repeated to get the correct key bit values of KO8,2 , KI8,2 , KO8,3 and KI8,3 . 5.4
Simulation
We used OpenSCA simulator for mounting the power analysis attack [18]. The code of KASUMI was taken from GitHub [2]. We implemented the attack in MATLAB using the steps mentioned in the previous subsection. Subsequently, we used the simulator for mounting the correlation power analysis attack using our algorithm. We simulated our attack 100 times. In each attack, a random key was generated and 50 random plaintexts were encrypted with the session key. We obtained the entire 128 bits of the key on all the mounted attacks. From Fig. 2, the peak of the correlation trace can be observed at around 220 9−15 is being used time units with correlation value of 1.0. This shows that KI1,3 at around 220 time units. But after applying proposed countermeasure we can observe in Fig. 4 that for the same correct subkey, at around the same time when
9−15 Fig. 2. Correlation trace of correct subkey (KI1,3 ) guessed without any countermeasure
152
D. Gupta et al.
9−15 KI1,3 is being actually used (at approximately 220 time units) the correlation value is around 0.4 that is masked by several higher ghost peaks at subsequent time instances. Due to this occurrence of multiple peaks, the attack cannot guess the correct subkey after applying the proposed countermeasure.
6
Proposed Countermeasure
We present an approach to counter the power analysis attack on KASUMI. The countermeasure hides the power consumption information in the Sbox operation and masks the relation between the power consumption in Sbox operation and the involved sub key. For this purpose we propose that a new Sbox be created before the encryption and decryption operation. As shown in Fig. 3, let S denote the new Sbox, which is generated with random values.
Ar1
Br1
S
S'
(KASUMI Sbox)
(Random Sbox)
Ar
To next round Sbox
Br
To next round Sbox
Fig. 3. Random Sbox S as a countermeasure against CPA attack.
There will be two new randomly generated Sboxes for each encryption operation, one will be a 9 × 18 Sbox and the other is a 7 × 14 Sbox. Let the input to the Sbox be stored in register A. We use one more register (register B) which stores a dummy value. Henceforth, the following two Sbox operations will be performed simultaneously (in parallel) to hide the power consumption information. The content of register B will be given as input to S and the content of register A will be given as input to original Sbox S. The output of S is stored in B, whereas the output of S is stored in A. Contents of A and B will be interchanged later to allow the normal ﬂow of the algorithm. In this way the power consumed is not correlated to the operation of Sbox S and the intermediate data processed by S. Also the new SBox S is generated for each new plaintext or ciphertext. Hence, the power consumption and the embedded key are not linearly correlated anymore due to the randomness of S for each encryption or decryption, which mitigates the attack eﬃciency.
Correlation Power Analysis on KASUMI: Attack and Countermeasure
6.1
153
Simulation
To simulate the parallel execution of the Sbox operation as proposed in our scheme, we used new Sboxes with same input width but double output width. The 9 × 9 Sbox was changed to 9 × 18 bit Sbox where the most signiﬁcant 9 bits were the 9 bits of the original Sbox and the least signiﬁcant 9 bits are the randomly generated 9 bits for each encryption or decryption. Similarly the 7 × 7 Sbox was transformed into a 7 × 14 Sbox, which follows the same scheme as the 9 × 18 Sbox, i.e., the most signiﬁcant 7 bits were the 7 bits of the original S7 Sbox and the least signiﬁcant 7 bits were randomly generated 7 bits for each encryption or decryption. The input to the new S9 is 9 bit and the output is of 18 bits. The most signiﬁcant 9 bits are then stored in another variable, which will be used later for all other operations of KASUMI. Similarly the input to the new S7 Sbox is of 7 bits and the output has 14 bits. The most signiﬁcant 7 bits are then stored in some other variable of 7 bits which will be used to perform remaining steps of KASUMI. We implemented the proposed countermeasure and simulated the correlation power analysis attack 100 times. In each attack, a random key was generated and 100 random plaintexts were encrypted with the session key. We could not recover any of the subkey correctly. Hence the proposed countermeasure was successful in mitigating the power analysis attack.
9−15 Fig. 4. Correlation trace of correct subkey (KI1,3 ) guessed with proposed countermeasure
7
Discussion
On performing the attack on KASUMI we extracted all 128 bits of the key. 9−15 is shown in Fig. 2. As The result of the correlation trace for correct KI1,3 can be observed from Fig. 2, the maximum correlation is 1.000 for 7 × 7 Sbox. This shows that the correct key can be easily recovered by performing CPA on unmasked KASUMI (Fig. 5).
154
D. Gupta et al.
Fig. 5. Odd round of KASUMI
9−15 After implementing our proposed scheme, the correlation trace of KI1,3 is shown in Fig. 4. This shows that the correct subkeys cannot be identiﬁed for the countermeasure, and the correlation based power analysis attack cannot succeed against our proposed scheme.
7.1
Comparison with Masking Techniques
Sbox Masking: Our proposed mitigation approach uses only two new Sboxes (a 9 × 18 Sbox and a 7 × 14 Sbox) for each encryption whereas if we apply the concept of rotating Sbox masking then we will need a new Sbox for each mask used. With increase in number of masks, the memory used in rotating Sbox masking is larger as compared to the number of Sboxes used by our scheme. Hence our algorithm is more memory eﬃcient as compared to rotating Sbox masking. High Order Masking: Due to high number of masks used in higher order masking the approach is very costly. Whereas the proposed mitigation technique needs to generate only two new random Sboxes for each encryption or decryption. Also the operation is only performed once before the start of the encryption or decryption process. Hence our scheme is cost eﬀective as compared to higher order masking.
8
Conclusion
This paper proposes an eﬃcient method to apply correlation power analysis attack on KASUMI. The attack successfully recovers 128bit secret key by exploiting the simple key scheduling of KASUMI. In addition, we proposed a simple but eﬃcient countermeasure to mitigate the correlation power analysis attack on KASUMI that yields performance improvement of many orders in resource constrained applications, such as IoTs, as compared to conventional protection techniques, such as masking and higher order masking techniques.
Correlation Power Analysis on KASUMI: Attack and Countermeasure
155
References 1. Akkar, M.L., Giraud, C.: An implementation of DES and AES, secure against some attacks. In: Ko¸c, C ¸ .K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 309–318. Springer, Heidelberg (2001). https://doi.org/10.1007/3540447091 26 2. ApS, N.: unabto (2015). https://github.com/nabto/unabto/blob/master/ 3rdparty/libtomcrypt/src/ciphers/kasumi.c 3. Biham, E., Dunkelman, O., Keller, N.: A relatedkey rectangle attack on the full KASUMI. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 443–461. Springer, Heidelberg (2005). https://doi.org/10.1007/11593447 24 4. Bl¨ omer, J., Guajardo, J., Krummel, V.: Provably secure masking of AES. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 69–83. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540305644 5 5. Blunden, M., Escott, A.: Related key attacks on reduced round KASUMI. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 277–285. Springer, Heidelberg (2002). https://doi.org/10.1007/354045473X 23 6. Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540286325 2 7. Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract poweranalysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999). https://doi.org/10.1007/3540484051 26 8. Chen, Z., Zhou, Y.: Dualrail random switching logic: a countermeasure to reduce side channel leakage. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 242–254. Springer, Heidelberg (2006). https://doi.org/10.1007/ 11894063 20 9. Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). https://doi.org/10.1007/9783540451464 27 10. Iwata, T., Kohno, T.: New security proofs for the 3GPP conﬁdentiality and integrity algorithms. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 427–445. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540259374 27 11. Jia, K., Li, L., Rechberger, C., Chen, J., Wang, X.: Improved cryptanalysis of the block cipher KASUMI. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 222–233. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642359996 15 12. Kocher, P., Jaﬀe, J., Jun, B.: Diﬀerential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3540484051 25 13. K¨ uhn, U.: Cryptanalysis of reducedround MISTY. In: Pﬁtzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 325–339. Springer, Heidelberg (2001). https:// doi.org/10.1007/3540449876 20 14. Masoumi, M., Moghadam, S.S.: A simulationbased correlation power analysis attack to FPGA implementation of KASUMI block cipher. Int. J. Internet Technol. Secur. Trans. 7(2), 175–191 (2017) 15. Matsui, M., Tokita, T.: MISTY, KASUMI and camellia cipher algorithm development. Mitsibishi Electr. Adv. (Mitsibishi Electr. Corp.) 100, 2–8 (2001)
156
D. Gupta et al.
16. Nassar, M., Souissi, Y., Guilley, S., Danger, J.L.: RSM: a small and fast countermeasure for AES, secure against 1st and 2ndorder zerooﬀset SCAs. In: Design, Automation & Test in Europe Conference & Exhibition (DATE), pp. 1173–1178. IEEE (2012) 17. Nguyen, P.H., Robshaw, M.J.B., Wang, H.: On relatedkey attacks and KASUMI: the case of A5/3. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 146–159. Springer, Heidelberg (2011). https://doi.org/10. 1007/9783642255786 12 18. Oswald, E., et al.: OpenSCA, an open source toolbox for MATLAB (2008) 19. Popp, T., Mangard, S.: Masked dualrail precharge logic: DPAresistance without routing constraints. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 172–186. Springer, Heidelberg (2005). https://doi.org/10.1007/11545262 13 20. Popp, T., Mangard, S., Oswald, E.: Power analysis attacks and countermeasures. IEEE Des. Test Comput. 24(6) (2007) 21. Rivain, M., Prouﬀ, E.: Provably secure higherorder masking of AES. In: Mangard, S., Standaert, F.X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642150319 28 22. Satoh, A., Morioka, S.: Small and highspeed hardware architectures for the 3GPP standard cipher KASUMI. In: Chan, A.H., Gligor, V. (eds.) ISC 2002. LNCS, vol. 2433, pp. 48–62. Springer, Heidelberg (2002). https://doi.org/10.1007/3540458115 4 23. Sugio, N., Aono, H., Hongo, S., Kaneko, T.: A study on higher order diﬀerential attack of KASUMI. IEICE Trans. Fundam. Electron., Commun. Comput. Sci. 90(1), 14–21 (2007) 24. Trichina, E., Korkishko, T., Lee, K.H.: Small size, low power, side channelimmune AES coprocessor: design and synthesis results. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2004. LNCS, vol. 3373, pp. 113–127. Springer, Heidelberg (2005). https://doi.org/10.1007/11506447 10 25. Wang, Z., Dong, X., Jia, K., Zhao, J.: Diﬀerential fault attack on KASUMI cipher used in GSM telephony. Math. Prob. Eng. 2014, 1–7 (2014) 26. Zhou, Y., Feng, D.: Sidechannel attacks: ten years after its publication and the impacts on cryptographic module security testing. IACR Cryptology ePrint Archive 2005/388 (2005)
On the Performance of Convolutional Neural Networks for SideChannel Analysis Stjepan Picek1 , Ioannis Petros Samiotis1 , Jaehun Kim1 , Annelie Heuser2 , Shivam Bhasin3(B) , and Axel Legay4 1
3
Delft University of Technology, Mekelweg 2, Delft, The Netherlands 2 CNRS, IRISA, Rennes, France Physical Analysis and Cryptographic Engineering, Temasek Laboratories, Nanyang Technological University, Singapore, Singapore
[email protected] 4 Inria, IRISA, Rennes, France
Abstract. In this work, we ask a question whether Convolutional Neural Networks are more suitable for sidechannel attacks than some other machine learning techniques and if yes, in what situations. Our results point that Convolutional Neural Networks indeed outperform machine learning in several scenarios when considering accuracy. Still, often there is no compelling reason to use such a complex technique. In fact, if comparing techniques without extra steps like preprocessing, we see an obvious advantage for Convolutional Neural Networks when the level of noise is small, and the number of measurements and features is high. The other tested settings show that simpler machine learning techniques, for a signiﬁcantly lower computational cost, perform similarly or sometimes even better. The experiments with guessing entropy indicate that methods like Random Forest or XGBoost could perform better than Convolutional Neural Networks for the datasets we investigated.
Keywords: Sidechannel analysis Convolutional Neural Networks
1
· Machine learning · Deep learning
Introduction
Sidechannel analysis (SCA) is a process exploiting physical leakages in order to extract sensitive information from a cryptographic device. The ability to protect devices against SCA represents a paramount requirement for the industry. One especially attractive target for physical attacks is the Internet of Things (IoT) [1] since (1) the devices to be attacked are widespread and in the proximity of an attacker and (2) the available resources to implement countermeasures on devices are scarce. Consequently, we want a setting where the countermeasures are simple (i.e., cheap) and yet being able to protect from the most powerful c Springer Nature Switzerland AG 2018 A. Chattopadhyay et al. (Eds.): SPACE 2018, LNCS 11348, pp. 157–176, 2018. https://doi.org/10.1007/9783030050726_10
158
S. Picek et al.
attacks. At the same time, many products have transaction counters which set a limit for the number of sidechannel measurements one is able to collect. The proﬁled sidechannel analysis deﬁnes the worst case security assessment by conducting the most powerful attacks. In this scenario, the attacker has access to a clone device, which can be proﬁled for any chosen or known key. Afterward, he is able to use the obtained knowledge to extract the secret key from a diﬀerent device. Proﬁled attacks are conducted in two distinctive phases where the ﬁrst phase is known as the proﬁling (or sometimes learning/training) phase, while the second phase is called the attack (test) phase. A wellknown example of such an attack is template attack (TA) [2], a technique that is the best (optimal) from an information theoretic point of view if the attacker has an unbounded number of traces [3,4]. Soon after the template attack, the stochastic attack that uses linear regression in the proﬁling phase was developed [5]. In coming years, researchers recognized certain weaknesses in template attack and they tried to modify it in order to better account for diﬀerent (usually, more diﬃcult) attack scenarios. One example of such an approach is the pooled template attack where only one pooled covariance matrix is used in order to cope with statistical diﬃculties [6]. Alongside such techniques, the SCA community recognized that the same general proﬁled approach is actually used in supervised machine learning. Machine learning (ML) is a term encompassing a number of methods that can be used for tasks like classiﬁcation, clustering, feature selection, and regression [7]. Consequently, the SCA community started to experiment with diﬀerent ML techniques and to evaluate whether they are useful in the SCA context, see e.g., [4,8–18]. Although considering diﬀerent scenarios and often diﬀerent machine learning techniques (with some algorithms used in a prevailing number of works like Support Vector Machines and Random Forest), all those works have in common that they establish numerous scenarios where ML techniques can outperform template attack and are the best choice for proﬁled SCA. More recently, deep learning techniques started to capture the attention of the SCA community. In 2016, Maghrebi et al. conducted the ﬁrst analysis of deep learning techniques for proﬁled SCA as well as a comparison against a number of ML techniques [19]. The results were very encouraging with deep learning surpassing other, simpler machine learning techniques and TA. Less than one year later, a paper focusing on Convolutional Neural Networks (CNNs) showed impressive results: this technique was better performing than TA but was also successful against device protected with diﬀerent countermeasures [20]. This, coupled with a fact that the authors were able to propose several clever data augmentation techniques, boosted even further the conﬁdence in deep learning for SCA. In this work, we take a step back and investigate a number of proﬁled SCA scenarios. We compare one deep learning technique that got the most attention in SCA community up to now – CNNs against several, wellknown machine learning techniques. Our goal is to examine the strengths of CNNs when compared with diﬀerent machine learning techniques and to recognize what are the most suitable scenarios (considering complexity, explainability, ease of use, etc.) to use deep
On the Performance of Convolutional Neural Networks for SCA
159
learning. We emphasize that the aim of this paper is not to doubt CNNs as a good approach but to doubt it as the best approach for any proﬁled SCA setting. The main contributions of this work are: 1. We conduct a detailed comparison between several machine learning techniques in an eﬀort to recognize situations where convolutional neural networks oﬀer clear advantages. We especially note XGBoost algorithm, which is wellknown as an extremely powerful technique but has never before been used in SCA. We show results for both accuracy and guessing entropy in an eﬀort to better estimate the behavior of tested algorithms. 2. We design a convolutional neural network architecture that is able to reach high accuracies and compete with ML techniques as well as with the other deep learning architecture designed in [19]. 3. We conduct an experiment showing that the topology of measurements does not seem to be the key property for CNNs’ good performance. 4. We discuss scenarios where convolutional neural networks could be the preferred choice when compared with other, simpler machine learning techniques.
2 2.1
Background Profiled SideChannel Analysis
Let calligraphic letters (X ) denote sets, capital letters (X) denote random variables taking values in these sets, and the corresponding lowercase letters (x) denote their realizations. Let k ∗ be the ﬁxed secret cryptographic key (byte), k any possible key hypothesis, and the random variable T the plaintext or ciphertext of the cryptographic algorithm, which is uniformly chosen. We denote the measured leakage as X and consider multivariate leakage X = X1 , . . . , XD , with D being the number of time samples or pointsofinterest (i.e., features as called in ML domain). To guess the secret key, the attacker ﬁrst needs to choose a model Y (T, k) depending on the key guess k and on some known text T , which relates to the deterministic part of the leakage. When there is no ambiguity, we write Y instead of Y (T, k). We consider a scenario where a powerful attacker has a device with knowledge about the secret key implemented and is able to obtain a set of N proﬁling traces X 1 , . . . , X N in order to estimate the leakage model. Once this phase is done, the attacker measures additional traces X 1 , . . . , X Q from the device under attack in order to break the unknown secret key k ∗ . Although it is usually considered that the attacker has an unlimited number of traces available during the proﬁling phase, this is of course always bounded. 2.2
Machine Learning Techniques
We select several machine learning techniques to be tested against CNN approach. More precisely, we select one algorithm based on Bayes theorem (Naive Bayes), one treebased method based on boosting (Extreme Gradient Boosting),
160
S. Picek et al.
one treebased method based on bagging (Random Forest), and ﬁnally, one neural network algorithm (Multilayer perceptron). We do not use Support Vector Machines (SVM) in our experiments despite their good performance as reported in a number of related works. This is because SVM is computationally expensive (especially when using radial kernel) and our experiments showed problems when dealing with imbalanced data (as occurs here since we consider the Hamming weight model) and large amounts of noise. For all ML techniques, we use scikitlearn library in Python 3.6 while for CNNs we use Keras with TensorFlow backend [21,22]. We follow that line of investigation since the “No Free Lunch Theorem” for supervised machine learning proves there exists no single model that works best for every problem [23]. To ﬁnd the best model for a speciﬁc given problem, numerous algorithms and parameter combinations should be tested. Naturally, not even then one can be sure that the best model is obtained but at least some estimate about tradeoﬀs between the speed, accuracy, and complexity of the obtained models is possible. Besides the “No Free Lunch Theorem” we brieﬂy discuss two more relevant machine learning notions. The ﬁrst one is connected with the curse of dimensionality [24] and the Hughes eﬀect [25], which states that with a ﬁxed number of training samples, the predictive power reduces as the dimensionality increases. This indicates that for scenarios with a large number of features, we need to use more training examples, which is a natural scenario for deep learning. Finally, the Universal Approximation theorem states that neural network is a universal functional approximator, more precisely, even a feedforward neural network with a single hidden layer that consists of a ﬁnite number of neurons can approximate many continuous functions [26]. Consequently, by adding hidden layers and neurons, neural networks gain more approximation power. Naive Bayes – NB. The Naive Bayes classiﬁer is a method based on the Bayesian rule. It works under the simplifying assumption that the predictor attributes (measurements) are mutually independent among the features given the target class [27]. The existence of highly correlated attributes in a dataset can thus inﬂuence the learning process and reduce the number of successful predictions. NB assumes a normal distribution for predictor attributes and outputs posterior probabilities. Multilayer Perceptron – MLP. The Multilayer perceptron is a feedforward neural network that maps sets of inputs onto sets of appropriate outputs. MLP consists of multiple layers of nodes in a directed graph, where each layer is fully connected to the next one. To train the network, the backpropagation algorithm is used, which is a generalization of the least mean squares algorithm in the linear perceptron. An MLP consists of three or more layers (since input and output represent two layers) of nonlinearlyactivating nodes [28]. Note, if there is more than one hidden layer, we can already talk about deep learning. Extreme Gradient Boost – XGBoost. The XGBoost is a scalable implementation of gradient boosting decision tree algorithm [29]. Chen and Guestrin
On the Performance of Convolutional Neural Networks for SCA
161
designed this algorithm where they use a sparsity aware algorithm for handling sparse data and a theoretically justiﬁed weighted quantile sketch for approximate learning [30]. As the name suggests, its core part is gradient boosting (since it uses a gradient descent algorithm to minimize the loss when adding new models). Here, boosting is an ensemble technique where new models are added to correct the errors made by existing models. Models are added sequentially until no further improvements can be made. Today, XGBoost is due to his execution speed and model performance one of the top performing algorithms in the ML domain. Since this algorithm is based on decision trees, it has additional advantages as being robust in noisy scenarios. Random Forest – RF. The Random Forest algorithm is a wellknown ensemble decision tree learner [31]. Decision trees choose their splitting attributes from a random subset of k attributes at each internal node. The best split is taken among these randomly chosen attributes and the trees are built without pruning, RF is a parametric algorithm with respect to the number of trees in the forest. RF is a stochastic algorithm because of its two sources of randomness: bootstrap sampling and attribute selection at node splitting. 2.3
Convolutional Neural Networks – CNNs
CNNs are a speciﬁc type of neural networks which were ﬁrst designed for 2dimensional convolutions as it was inspired by the biological processes of animals’ visual cortex [32]. They are primarily used for image classiﬁcation but lately, they have proven to be powerful classiﬁers for time series data such as music and speech [33]. Their usage in sidechannel analysis has been encouraged by [19,20]. As we explain in Sect. 3.2, in order to ﬁnd the most optimized model for the available datasets, we use random search for hyperparameter tuning. This enabled us to study how diﬀerent architectures behaved on the datasets and compare the results to determine the best candidate model for our experimental setup. As this work is not attempting to propose a new optimal architecture for sidechannel data classiﬁcation, we used the most optimized network found through the Random Search for our benchmarks. The ﬁnal architecture was chosen after creating hyperparameter constraints based on the literature and tests we conducted, followed by an optimization of their values through a random search. The hyperparameters that are modeled and optimized are number of convolutional/pooling/fully connected layers, number of activation maps, learning rate, dropout magnitude, convolutional activation functions, convolutional/pooling kernel size, and stride and number of neurons on fully connected layers. During the training, we use early stopping to further avoid overﬁtting by monitoring the loss on the validation set [34]. Thus, every training session is interrupted before reaching high accuracy on the training dataset. To help the network increase its accuracy on the validation set, we use a learning rate scheduler to decrease the learning rate depending on the loss from the validation set. We initialize the weights to small random values and we use “adam” optimizer [35].
162
S. Picek et al.
In this work, we ran the experiment with computation nodes equipped with 32 NVIDIA GTX 1080 Ti graphics processing units (GPUs). Each of it has 11 Gigabytes of GPU memory and 3 584 GPU cores. We implement the experiments with the Tensorﬂow [22] computing framework and Keras deep learning framework [21] to leverage the GPU computation. 2.4
Performance Analysis
To assess the performance of the classiﬁers (and consequently the attacker) we +T N use accuracy: ACC = T P +FT PP +F N +T N . TP refers to true positive (correctly classiﬁed positive), TN to true negative (correctly classiﬁed negative), FP to false positive (falsely classiﬁed positive), and FN to false negative (falsely classiﬁed negative) instances. TP, TN, FP, and FN are welldeﬁned for hypothesis testing and binary classiﬁcation problems. When dealing with the multiclass classiﬁcation, they are deﬁned in one class–vs–all other classes manner and are calculated from the confusion matrix. The confusion matrix is a table layout where each row represents the instances in an actual class, while each column represents the instances of a predicted class. Besides accuracy, we use also Success rate (SR) and Guessing entropy (GE) [36]. Given a certain amount of traces, SR is deﬁned as the estimated average probability of success of an attack. In other words, what is the probability on average that the attack predicts the correct secret key given a certain amount of traces. Given a ranking of secret key candidates (i.e., from probabilities or scores) of an attack, the guessing entropy is the average position of the correct secret key in the ranking.
3 3.1
Experimental Setting Datasets
In our experiments, we use three datasets: one representing an easy target to attack due to a low level of noise, one more diﬃcult target due to a high level of noise, and ﬁnally, one with the random delay countermeasure. DPAcontest v4 Dataset [37]. This dataset (denoted DPAv4) gives measurements of a masked AES software implementation but since the mask is known, one can easily transform it into an unprotected scenario. Since it is a software implementation, the most leaking operation is not the register writing but the processing of the Sbox operation and we attack the ﬁrst round: Y (k ∗ ) = Sbox[Pb1 ⊕ k ∗ ] ⊕
M
,
(1)
known mask
where Pb1 is a plaintext byte and we choose b1 = 1. We consider here a setting with 9 classes corresponding to the Hamming weight of the output of an Sbox. The SNR for this dataset lies between 0.1188 and 5.8577. For our experiments,
On the Performance of Convolutional Neural Networks for SCA
163
we start with a preselected window of 3 000 features (around the Sbox part of the algorithm execution) from the original trace. Note that we maintain the lexicographical ordering (topology) of features after the feature selection (by lexicographical ordering we mean keeping the features in the order they appear in measurements and not, for instance, sorting them in accordance to their relevance). DPAcontest v2 Dataset [38]. DPAcontest v2 (denoted DPAv2) provides measurements of an AES hardware implementation. Previous works showed that the most suitable leakage model (when attacking the last round of an unprotected hardware implementation) is the register writing in the last round: Y (k ∗ ) = Sbox−1 [Cb1 ⊕ k ∗ ] ⊕ previous register value
Cb2
.
(2)
ciphertext byte
Here, Cb1 and Cb2 are two ciphertext bytes and the relation between b1 and b2 is given through the inverse ShiftRows operation of AES. We select b1 = 12 resulting in b2 = 8 since it is one of the easiest bytes to attack [38]. In Eq. (2), Y (k ∗ ) consists of 256 values but we apply the Hamming weight (HW) on those values resulting in 9 classes. These measurements are relatively noisy and the var(y(t,k∗ )) resulting modelbased signaltonoise ratio SN R = var(signal) var(noise) = var(x−y(t,k∗ )) , lies between 0.0069 and 0.0096. There are several available datasets under the DPAcontest v2 name and we use the traces from the “template” set. This dataset has 3 253 features. Random Delay Countermeasure Dataset. As our last use case, we use a protected (i.e., with a countermeasure) software implementation of AES. The target smartcard is an 8bit Atmel AVR microcontroller. The protection uses random delay countermeasure as described by Coron and Kizhvatov [39]. Adding random delays to the normal operation of a cryptographic algorithm has as an eﬀect on the misalignment of important features, which in turns makes the attack more diﬃcult to conduct. As a result, the overall SNR is reduced (the SNR has a maximum value of 0.0556). We mounted our attacks in the Hamming weight power consumption model against the ﬁrst AES key byte, targeting the ﬁrst Sbox operation. This dataset has 50 000 traces with 3 500 features each. This countermeasure has been shown to be prone to deep learning based sidechannel [20]. The random delay is quite often used countermeasure in commercial products, while not modifying the leakage order (like masking). The dataset is publicly available at https://github.com/ikizhvatov/randomdelaystraces. 3.2
Data Preparation and Parameter Tuning
We denote the training set size as T r, validation set size as V , and testing set size as T e. Here, T r + V + T e equals to the total set size S. We experiment with four dataset sizes S – [1 000, 10 000, 50 000, 100 000]. For the Random delay dataset, we use the ﬁrst three sizes since it has only 50 000 measurements. The ratios for T r, V , and T e equal 50% : 25% : 25%. All features are normalized
164
S. Picek et al.
into [0, 1] range. When using ML techniques, instead of validation, we use 5fold crossvalidation. In the 5fold crossvalidation, the original sample is ﬁrst randomly partitioned into 5 equal sized subsets. Then, a single subsample is selected to validate the data while the remaining 4 subsets are used for training. The crossvalidation process is repeated 5 times where each of the 5 subsamples is used once for validation. The obtained results are then averaged to produce an estimation. We select to conduct 5fold crossvalidation on the basis of the number of measurements belonging to the least populated class for the smallest dataset we use. Since the number of features is too large for ML techniques, we conduct feature selection where we select the 50 most important features while we keep the lexicographical ordering of selected features. We use 50 features for ML techniques since the datasets are large and the number of features is one of two factors (the second one is the number of measurements) comprising the time complexity for ML algorithms. Additionally, 50 features is a common choice in the literature [12,14]. To select those features, we use the correlation coeﬃcient where we calculate it for the target class variables HW, which consists of categorical values that are interpreted as numerical values [40]: N ((xi − x ¯)(yi − y¯)) . (3) P earson(x, y) = i=1 N N 2 2 (x − x ¯ ) (y − y ¯ ) i=1 i i=1 i Despite the fact it is not the best practice to use such selected features with the CNNs, we also include the experiment using CNNs with the selected features as an input for the purpose of the comparison and completeness. For CNNs, we do not conduct crossvalidation since it is too computationally expensive but rather we additionally use the validation set, that serves as an indicator of early stopping to avoid overﬁtting. In order to ﬁnd the best hyperparameters, we tune the algorithms with respect to their most important parameters as described below: 1. The Naive Bayes has no parameters to tune. 2. For MLP, we tune the solver parameter that can be either adam, lbf gs, or sgd. Next, we tune activation function that can be either ReLU or T anh, and the number and structure of hidden layers in MLP. The number of hidden layers is tuned in the range [2, 3, 4, 5, 6] and the number of neurons per layer in the range [10, 20, 30, 40, 50]. 3. For XGBoost, we tune the learning rate and the number of estimators. For learning rate, we experiment with values [0.001, 0.01, 0.1, 1] and for the number of estimators with values of [100, 200, 400]. 4. For RF, we tune the number of trees in the range [10, 50, 100, 200, 500], with no limit to the tree size. When dealing with CNNs, in order to ﬁnd the best ﬁtting model, we optimized 13 hyperparameters: convolutional kernel size, pooling size, stride on convolutional layer, initial number of ﬁlters and neurons, learning rate, the number of convolutional/pooling/fully connected layers, type of activation function, optimization algorithm, and dropout on convolutional and fully connected layers.
On the Performance of Convolutional Neural Networks for SCA
165
The hyperparameter optimization was implemented through a random search, where the details on possible parameter ranges are given in Table 1). We tune our CNN architecture for the DPAcontest v4 dataset. Table 1. Hyperparameters and their value ranges. Hyperparameter
Value range
Constraints
Convolutional kernel
kconv ∈ [3, 20]

Pooling kernel
kpool ∈ [3, 20]
kpool ≤ kconv
Stride
s ∈ [1, 5]
In pooling layers, s = kpool − 1
# of convolutional layers
layersconv ∈ [2, 6]

# of pooling layers
layerspool ∈ [1, 5]
layerspool ≤ layersconv
# of fullyconnected layers
layersf c ∈ [0, 2]

Initial # of activation maps
a ∈ [8, 32]
Follows geometric progression with ratio r = 2, for the # of layersconv
Initial # of neurons
n ∈ [128, 1024]
Follows geometric progression with ratio r = 2, for the # of layersf c
Convolutional layer dropout
dropconv ∈ [0.05, 0.10]

Fullyconnected layer dropout
dropf c ∈ [0.10, 0.20]

Learning rate
l ∈ [0.001, 0.012]
A learning rate scheduler was applied
Activation function
ReLU, ELU, SELU, LeakyReLU, PReLU
The same for all layers except the last which uses Softmax
Optimization algorithm
Adam, Adamax, NAdam, Adadelta, Adagrad, SGD, RMSProp

We use the Softmax activation function in the classiﬁcation layer combined with the Categorical Cross Entropy loss function. For regularization, we use dropout on convolutional and fully connected layers while on the classiﬁcation layer we use an activity L2 regularization. These regularization techniques help to avoid overﬁtting on the training set, which in turn help lower the bias of the model. The number of activation maps increases per layer, following a geometric progression with an initial value a = 16 and a ratio r = 2 (16, 32, 64, 128). The number of activation maps is optimized for GPU training. The network is composed of 4 convolutional layers and 4 pooling layers in between, followed by the classiﬁcation layer. All convolutional layers use kernel size of 6 and stride 2 creating a number of activation maps for each layer. For pooling we use Average Pooling on the ﬁrst pooling layer and Max Pooling on the rest, using the kernel of size 4 and stride of 3. The convolutional layers use “Scaled Exponential Linear
166
S. Picek et al.
Unit” (SELU) activation function, an activation function which induces selfnormalizing properties [41]. We depict our architecture in Fig. 1 and give details about it in Table 2.
16 (4)
32 (4)
pool2
64
conv3
(4) pool3
9
128
(4)
conv4
pool4
atten out
conv2 pool1 conv1 input
Fig. 1. The developed CNN architecture. The simpliﬁed ﬁgure illustrates the applied architecture. The yellow rectangular blocks indicate 1dimensional convolution layer, and the blue blocks indicate pooling layers. The ﬁrst light blue block indicates average pooling, which is diﬀerent from the other max pooling blocks. After the ﬂattening of every trailing spatial dimension into a single feature dimension, we apply a fullyconnected layer for classiﬁcation. (Color ﬁgure online)
Table 2. Developed CNN architecture. Layer
Output shape Weight shape Subsampling Activation
conv (1)
1 624 × 16
averagepool(1) 542 × 16
1 × 16 × 6
2
SELU

(4), 3

conv (2)
271 × 32
1 × 32 × 6
2
SELU
maxpool (2)
91 × 32

(4), 3

conv (3)
46 × 64
1 × 64 × 6
2
SELU
maxpool (3)
16 × 64

(4), 3

conv (4)
8 × 128
1 × 128 × 6
2
SELU
maxpool (4)
3 × 128

(4), 3

fcoutput
9
384 × 9

Softmax
On the Performance of Convolutional Neural Networks for SCA
4
167
Results
It has been already established that accuracy is often not suﬃcient performance metric in SCA context but something like the key enumeration should be used to really assess the performance of classiﬁers [13,20]. The problem with accuracy is most pronounced in imbalanced scenarios since high accuracy can just mean that the classiﬁer classiﬁed all measurements into the dominant class (i.e., the one with the most measurements). This phenomenon is wellknown in the machine learning community. Since we consider in our experiments the Hamming weight model, we have imbalanced data where HW class 4 (all Sbox outputs with the Hamming weight equal to 4) is the most represented one. In fact, on average HW4 is 70 times more represented than HW0 or HW8. Consequently, a classiﬁer assigning all measurements into HW4 will have a relatively good accuracy (70/256 ≈ 27.3%) but will not be useful in SCA context. To denote such cases, we depict the corresponding accuracies in cells with the gray background color. First, we brieﬂy address the fact that we do not use template attack. The decision for this is based on previous works as listed in Sect. 1 where it is shown that machine learning and deep learning can outperform TA. Consequently, we keep our focus here only on techniques coming from the machine learning domain. 4.1
Accuracy
In Table 3, we give results for DPAcontest v4 dataset when considering 50 most important features. First, we can observe that none of the techniques have problems with obtaining high accuracy values. In fact, we notice a steady increase in the accuracy values as we add more measurements to the training/testing process. By comparing the methods simply by the accuracy score, we see that XGBoost reaches the highest performance, followed closely by Random Forest. When considering CNN, we see that only Naive Bayes is resulting in smaller accuracies. Interestingly, when considering 1 000 measurements scenario, we see that CNN actually has by far the best accuracy. We believe this to be due to a combination of a small number of measurements and a small number of features. For a larger number of measurements, CNN also needs more features in order to train a strong model. Table 3. Testing results, DPAcontest v4, 50 features Dataset size NB
MLP XGBoost RF
CNN
1 000
37.6 44.8
52.0
49.2 60.4
10 000
65.2 81.3
79.7
82.4 77.2
50 000
64.1 86.8
88.8
87.9 81.4
66.5 91
92.1
90.3 84.5
100 000
In Table 4, we present results for DPAcontest v2 with 50 features. As observed in related work (e.g., [13,19,20]) DPAcontest v2 is a diﬃcult dataset for proﬁled
168
S. Picek et al.
attacks. Indeed, CNN here always assigns all the measurements into the class HW4. Additionally, although MLP does not assign all the measurements into HW4, by examining confusion matrices we observed that the prevailing number of measurements is actually in that class, with only a few ones belonging to HW3 and HW 5. Finally, we see that the best performing technique is XGBoost. The confusion matrix for XGBoost results reveals that even when the accuracy for XGBoost is similar as assigning all measurements into HW4, the algorithm is actually able to correctly classify examples of several classes. Since for this dataset we have the same imbalanced scenario as for DPAcontest v4, we can assume that the combination of high noise and imbalancedness represents the problem for CNNs. Additionally, our experiments indicate that with this dataset, the more complex the architecture, the easier is to assign all the measurements into HW4. Consequently, simpler architectures work better as there is not enough expressive power in the network to learn perfectly the training set. For this reason, the CNN architecture used in [19] works better for DPAcontest v2 since it is much simpler than the CNN architecture we use here. Table 4. Testing results, DPAcontest v2, 50 features Dataset size
NB
MLP
XGBoost RF
CNN
1 000 10 000 50 000 100 000
14.4 10.6 12 11.7
28.8 28.3 26.6 27.1
28.8 27.3 26.6 27.1
28.8 28.2 26.7 27.1
25.6 25.8 25.3 25.8
Finally, in Table 5, we give results for the Random delay dataset with 50 features. We can observe that the accuracies are similar to the case of DPAcontest v2 but here we do not have such pronounced problems with assigning all measurements into HW4. In fact, that behavior occurs in only one case – CNN with 50 000 measurements. Table 5. Testing results, Random delay, 50 features Dataset size
NB
MLP
XGBoost RF
CNN
1 000 10 000 50 000
20 22 25.6
22 26.7 27.6
27.32 24.9 26.3
21.2 28.2 27.1
26.8 27 26.9
One could ask why setting the limit to only 50 features? For many machine learning techniques, the complexity increases drastically with the increase in the number of features. Combining that fact with a large number of measurements and we soon arrive into a situation where machine learning is simply to slow for
On the Performance of Convolutional Neural Networks for SCA
169
practical evaluations. This is especially pronounced since only a few algorithms have optimized versions (e.g., supporting multicore and/or GPU computation). For CNNs we do not have such limiting factors. In fact, modern implementations of deep learning architectures like CNNs enable us to work with thousands of features and millions of measurements. Consequently, in Table 6, we depict the results for CNNs for all three considered datasets when using all available features. For DPAcontest v4, we see improvements in accuracy in all cases, where for cases with more measurements we see drastic improvements. It is especially interesting to consider cases with 50 000 and 100 000 measurements where we reach more than 95% accuracy. These results conﬁrm our intuition that CNNs need many features (and not only many measurements) to reach high accuracies. For DPAcontest v2, we see no diﬀerence when using 50 features or all the features. Although disappointing, this is expected: if our architecture was already too complex when using only 50 features, adding more features does not help. Finally, when considering the Random delay dataset, we see that the accuracies for two smaller dataset sizes decrease while the accuracy for 50 000 measurements increases where we do not see that all measurements are assigned to HW4 class. Again, this is a clear sign that when working with more complex datasets, having more features helps but only if it is accompanied by the increase in the number of measurements. Table 6. Testing results for CNN, all features Dataset size
DPAcontest v4 DPAcontest v2 Random delay
1 000 10 000 50 000 100 000
60.8 92.7 97.4 96.2
28.8 22.6 22.3 27.1
20.3 20.2 28 –
Naturally, a question can be made whether it is really necessary to use deep learning for such a small increase in accuracy when compared with computationally simpler techniques given in Tables 3, 4, and 5. Still, we need to note that while for CNNs having 100 000 measurements is not considered as a large dataset, for many other machine learning techniques this would be already a huge dataset. To conclude, based on the presented results, we clearly see cases where CNNs oﬀer advantages over other machine learning techniques but we note there are cases where the opposite is true. 4.2
Success Rate and Guessing Entropy
Figures 2a until f give guessing entropy and success rate for all three datasets when using 50 000 traces in total. One can see from Figs. 2a and b that the correct secret key is found for nearly all methods already using less than 10 traces when considering DPAcontest v4. Interestingly, we see that the CNN architecture that
170
S. Picek et al.
uses all the features is less successful than the one using only 50 features, which is opposite from the results on the basis of accuracy. The most eﬃcient techniques are MLP and XGBoost, but in this scenario, we see that even a simple method like Naive Bayes is more than enough. For DPAcontest v2, we see that NB is signiﬁcantly outperforming all the other methods. This could be due to a fact that other methods are more prone to classify most of the measurements into HW4 and thus do not contribute signiﬁcant information to recover the secret key. For the Random delay dataset, we observe that NB, XGBoost, and RF are the most eﬃcient methods when considering guessing entropy. On the basis of the success rate, Naive Bayes and Random Forest are the best. To conclude, we can see that all machine learning techniques display consistent behavior for both metrics. This means that those algorithms have stable behavior in ranking not only the best key candidate but also the other key candidates.
5
Discussion and Future Work
We start this section with a small experiment where we consider DPAcontest v4 and Random delay datasets with all features. We do not give results for DPAcontest v2 since even when using all features, all the measurements are classiﬁed into HW4 class. One reason why CNNs are so successful in domains like image classiﬁcation is that they are able to maintain the topology, i.e., shuﬄing features in an image would result in a wrong classiﬁcation. We do exactly that: we shuﬄe the features uniformly at random. Since the results indicate that the topological information in the trace signal used in experiments is not as important as expected, we tried to investigate such observation in depth by testing the CNN model with the extreme case. Expectedly, running our CNN architecture on such datasets results in decreased accuracy, but one that is still quite high as given in Table 7. When comparing Tables 6 and 7, we see that for DPAcontest v4, accuracy drops 10–15%. For Random delay and 10 000 measurements, the result is even slightly better after shuﬄing. In Figs. 3a and b, we give results for guessing entropy when using shuﬄed features. Interestingly, we see that shuﬄing the features did not signiﬁcantly decrease the results for guessing entropy. Table 7. Testing results for CNN, features shuﬄed Dataset size DPAcontest v4 Random delay 10 000
77.88
21.44
50 000
84.83
27.3
100 000
84.17
–
The results imply that the topological information between features of the trace is not more useful than the other characteristics of the signal. Thus, we
On the Performance of Convolutional Neural Networks for SCA
171
(a) DPAv4, guessing entropy, 50 000 mea (b) DPAv4, success rate, 50 000 measuresurements ments
(c) DPAv2, guessing entropy, 50 000 mea (d) DPAv2, success rate, 50 000 measuresurements ments
(e) Random delay, guessing entropy, (f) Random delay, success rate, 50 000 50 000 measurements measurements
Fig. 2. Guessing entropy and success rate results
hypothesize that a speciﬁc local topology or a certain feature can be a more important factor than global topology, which is coherent to the fact that the independently selected subset of features shows a decent performance in previous
172
S. Picek et al.
(a) DPAv4
(b) Random delay
Fig. 3. Shuﬄed features, guessing entropy
experiments. To verify such a hypothesis, we investigated the feature importance which is derived from the Random Forest classiﬁer that is trained on all the features, which is illustrated in Fig. 4. Note that it is reported that the importance analysis is not reliable when it is applied on the features where they are intercorrelated such as the trace signals, compared to the features that are composed of independent variables [42]. To relax such problem, we applied the bootstrap without replacement, which is suggested in [42].
(a) DPAv4
(b) Random delay
Fig. 4. The feature importance derived from the Random Forest classiﬁer trained on DPAcontest v4 dataset. Higher value indicates corresponding feature dimension is relatively more important than others. The values are normalized such that the sum of all the importance is equal to 1.
Figure 4a suggests the features near 2 000th dimension are treated as substantially more important to the RF model than the others. It partially explains the behavior of the CNN, whose main advantage is the ability to capture meaningful information in topology, which seems a less crucial factor in the DPAcontest v4 dataset. Diﬀering from that, Fig. 4b shows there is no such region for the Random delay dataset that stands out when compared to other areas. Consequently, this implies the random delay applied in the dataset make the positional importance less inﬂuential.
On the Performance of Convolutional Neural Networks for SCA
173
Naturally, CNNs also have the implicit feature selection part. It is possible that current good results on SCA stem from that, which would mean we could use separate feature selection and classiﬁcation to the same goal. When considering deep learning architectures, and more speciﬁcally their sizes, a valid question is whether the architectures currently used in SCA are really deep. For instance, Cagli et al. mention their architecture as being “quite deep CNN architecture” but if we compare that with the stateoftheart CNNs architectures used today, we see a striking diﬀerence. The current “best” architecture for image classiﬁcation called ResNet has 152 hidden layers [43]. Our architectures look very shallow compared to that. Naturally, the question is if we even need such deep architectures, and if the answer is no, then maybe computationally simpler machine learning techniques could be a good alternative. We do not need to investigate only the deep learning part. As Cagli et al. showed, using smart preprocessing (e.g., data augmentation) can bring a more striking increase in the performance than by changing the network architecture [20]. Machine learning domain is extensively using various data augmentation techniques for years and there is no reason why some of those, more general methods could not be used in SCA. Additionally, we must mention that data augmentation is not limited to deep learning and it would be interesting to see what would happen if SCAspeciﬁc data augmentation would be used with other, simpler machine learning techniques. Finally, in this work, we do not consider masked implementations, which could be the case where convolutional neural networks outperform other techniques. Still, when considering the related work it is not so clear whether this is a trait of CNNs or simply deep architectures [20,44]. When discussing the results on a more general level, we can observe some trends. 1. The number of measurements and the number of features are connected and simply increasing one quantity without the other does not guarantee an improvement in performance. 2. The level of noise in conjunction with the highly imbalanced data seem to aﬀect CNNs more than some simpler machine learning techniques. Naturally, to reduce the level of noise, it is possible to use various forms of preprocessing and to reduce the imbalancedness, a simple solution is to undersample the most represented classes. This could be problematic in scenarios where we require a large number of measurements (but are limited in the amount we can acquire) since undersampling will drastically reduce the number of measurements we have at our disposal. 3. As a measure of performance in all algorithms, we use accuracy. When comparing the performance on the basis of accuracy vs guessing entropy, we can see there are diﬀerences and cases when accuracy cannot be used as a deﬁnitive measure of performance. Still, our results do not indicate that any of the tested algorithms are less sensitive to this problem. 4. CNNs are more computationally expensive to train and have more parameters than some other (simpler) machine learning techniques. This makes it
174
S. Picek et al.
a challenging decision whether it is beneﬁcial to invest more resources into tuning for a probably small improvement in the performance. 5. We see that one trained CNN architecture for a speciﬁc dataset is suboptimal on some other datasets. This indicates that the obtained models are not easily transferable across scenarios, which even more raises the concern about the computational costs vs. potential performance gains.
6
Conclusions
In this paper, we consider a number of scenarios for proﬁled SCA and we compare the performance of several machine learning algorithms. Recently, very good results obtained with convolutional neural networks suggested them to be a method of choice when conducting proﬁled SCA. Our results show that CNNs are able to perform very well but the same could be said for other machine learning techniques. We see a direct advantage for CNN architectures over machine learning techniques for cases where the level of noise is low, the number of measurements is large, and the number of features is high. In other cases, our ﬁndings suggest that other machine learning techniques are able to perform on a similar level (with much smaller computational cost) or even surpass CNNs. Of course, stating that CNNs perform well when the level of noise is low does not mean that some other machine learning technique we considered here is very good when the level of noise is high. Rather, when the level of noise is (very) high, we conclude that both CNNs and machine learning techniques have similar diﬃculties in classifying. When considering the guessing entropy metric, the results favor methods like Random Forest and XGBoost, which is a clear indication more experiments are needed to properly assess the strengths of convolutional neural networks. As discussed in previous sections, there are many possible research directions one could follow, which will, in the end, bring more cohesion to the area and more conﬁdence in the obtained results.
References 1. Ronen, E., Shamir, A., Weingarten, A., O’Flynn, C.: IoT goes nuclear: creating a ZigBee chain reaction. In: IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, 22–26 May 2017, pp. 195–212. IEEE Computer Society (2017) 2. Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S., Ko¸c, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003). https://doi.org/10.1007/3540364005 3 3. Heuser, A., Rioul, O., Guilley, S.: Good is not good enough. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 55–74. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662447093 4 4. Lerman, L., Poussier, R., Bontempi, G., Markowitch, O., Standaert, F.X.: Template attacks vs. machine learning revisited (and the curse of dimensionality in sidechannel analysis). In: Mangard, S., Poschmann, A.Y. (eds.) COSADE 2014. LNCS, vol. 9064, pp. 20–33. Springer, Cham (2015). https://doi.org/10.1007/9783319214764 2
On the Performance of Convolutional Neural Networks for SCA
175
5. Schindler, W., Lemke, K., Paar, C.: A stochastic model for diﬀerential side channel cryptanalysis. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 30–46. Springer, Heidelberg (2005). https://doi.org/10.1007/11545262 3 6. Choudary, O., Kuhn, M.G.: Eﬃcient template attacks. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 253–270. Springer, Cham (2014). https://doi.org/10.1007/9783319083025 17 7. Mitchell, T.M.: Machine Learning, 1st edn. McGrawHill Inc., New York (1997) 8. Heuser, A., Zohner, M.: Intelligent machine homicide. In: Schindler, W., Huss, S.A. (eds.) COSADE 2012. LNCS, vol. 7275, pp. 249–264. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642299124 18 9. Hospodar, G., Gierlichs, B., De Mulder, E., Verbauwhede, I., Vandewalle, J.: Machine learning in sidechannel analysis: a ﬁrst study. J. Cryptogr. Eng. 1, 293– 302 (2011). https://doi.org/10.1007/s133890110023x 10. Lerman, L., Bontempi, G., Markowitch, O.: Power analysis attack: an approach based on machine learning. Int. J. Appl. Cryptol. 3(2), 97–115 (2014) 11. Lerman, L., Bontempi, G., Markowitch, O.: A machine learning approach against a masked AES: reaching the limit of sidechannel attacks with a learning model. J. Cryptogr. Eng. 5(2), 123–139 (2015) 12. Lerman, L., Medeiros, S.F., Bontempi, G., Markowitch, O.: A machine learning approach against a masked AES. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 61–75. Springer, Cham (2014). https://doi.org/10.1007/ 9783319083025 5 13. Picek, S., Heuser, A., Guilley, S.: Template attack versus Bayes classiﬁer. J. Cryptogr. Eng. 7(4), 343–351 (2017) 14. Gilmore, R., Hanley, N., O’Neill, M.: Neural network based attack on a masked implementation of AES. In: 2015 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 106–111, May 2015 15. Heuser, A., Picek, S., Guilley, S., Mentens, N.: Lightweight ciphers and their sidechannel resilience. IEEE Trans. Comput. PP(99), 1 (2017) 16. Heuser, A., Picek, S., Guilley, S., Mentens, N.: Sidechannel analysis of lightweight ciphers: does lightweight equal easy? In: Hancke, G.P., Markantonakis, K. (eds.) RFIDSec 2016. LNCS, vol. 10155, pp. 91–104. Springer, Cham (2017). https://doi. org/10.1007/9783319620244 7 17. Picek, S., et al.: Sidechannel analysis and machine learning: a practical perspective. In: 2017 International Joint Conference on Neural Networks, IJCNN 2017, Anchorage, AK, USA, 14–19 May 2017, pp. 4095–4102 (2017) 18. Picek, S., Heuser, A., Jovic, A., Legay, A.: Climbing down the hierarchy: hierarchical classiﬁcation for machine learning sidechannel attacks. In: Joye, M., Nitaj, A. (eds.) AFRICACRYPT 2017. LNCS, vol. 10239, pp. 61–78. Springer, Cham (2017). https://doi.org/10.1007/9783319573397 4 19. Maghrebi, H., Portigliatti, T., Prouﬀ, E.: Breaking cryptographic implementations using deep learning techniques. In: Carlet, C., Hasan, M.A., Saraswat, V. (eds.) SPACE 2016. LNCS, vol. 10076, pp. 3–26. Springer, Cham (2016). https://doi. org/10.1007/9783319494456 1 20. Cagli, E., Dumas, C., Prouﬀ, E.: Convolutional neural networks with data augmentation against jitterbased countermeasures. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 45–68. Springer, Cham (2017). https://doi.org/ 10.1007/9783319667874 3 21. Chollet, F., et al.: Keras (2015). https://github.com/fchollet/keras 22. Abadi, M., et al.: TensorFlow: largescale machine learning on heterogeneous systems (2015). Software available from tensorﬂow.org
176
S. Picek et al.
23. Wolpert, D.H.: The lack of a priori distinctions between learning algorithms. Neural Comput. 8(7), 1341–1390 (1996) 24. Bellman, R.E.: Dynamic Programming. Dover Publications, Incorporated, Mineola (2003) 25. Hughes, G.: On the mean accuracy of statistical pattern recognizers. IEEE Trans. Inf. Theory 14(1), 55–63 (1968) 26. Hornik, K.: Approximation capabilities of multilayer feedforward networks. Neural Netw. 4(2), 251–257 (1991) 27. Friedman, N., Geiger, D., Goldszmidt, M.: Bayesian network classiﬁers. Mach. Learn. 29(2), 131–163 (1997) 28. Collobert, R., Bengio, S.: Links between perceptrons, MLPs and SVMs. In: Proceedings of the TwentyFirst International Conference on Machine Learning, ICML 2004, p. 23. ACM, New York (2004) 29. Friedman, J.H.: Greedy function approximation: a gradient boosting machine. Ann. Stat. 29, 1189–1232 (2000) 30. Chen, T., Guestrin, C.: XGBoost: a scalable tree boosting system. CoRR abs/1603.02754 (2016) 31. Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001) 32. LeCun, Y., Bengio, Y., et al.: Convolutional networks for images, speech, and time series. In: The Handbook of Brain Theory and Neural Networks, vol. 3361, no. 10 (1995) 33. Van Den Oord, A., et al.: WaveNet: a generative model for raw audio. arXiv preprint arXiv:1609.03499 (2016) 34. Demuth, H.B., Beale, M.H., De Jess, O., Hagan, M.T.: Neural Network Design. Martin Hagan (2014) 35. Kingma, D.P., Ba, J.: Adam: a method for stochastic optimization. CoRR abs/1412.6980 (2014) 36. Standaert, F.X., Malkin, T.G., Yung, M.: A uniﬁed framework for the analysis of sidechannel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642010019 26 37. TELECOM ParisTech SEN research group: DPA Contest, 4th edn (2013–2014). http://www.DPAcontest.org/v4/ 38. TELECOM ParisTech SEN research group: DPA Contest, 2nd edn (2009–2010). http://www.DPAcontest.org/v2/ 39. Coron, J.S., Kizhvatov, I.: An eﬃcient method for random delay generation in embedded software. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 156–170. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642041389 12 40. James, G., Witten, D., Hastie, T., Tibshirani, R.: An Introduction to Statistical Learning. STS, vol. 103. Springer, New York (2013). https://doi.org/10.1007/9781461471387 41. Klambauer, G., Unterthiner, T., Mayr, A., Hochreiter, S.: Selfnormalizing neural networks. arXiv preprint arXiv:1706.02515 (2017) 42. Strobl, C., Boulesteix, A.L., Zeileis, A., Hothorn, T.: Bias in random forest variable importance measures: illustrations, sources and a solution. BMC Bioinform. 8(1), 25 (2007) 43. He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. CoRR abs/1512.03385 (2015) 44. Timon, B.: Nonproﬁled deep learningbased sidechannel attacks. Cryptology ePrint Archive, Report 2018/196 (2018). https://eprint.iacr.org/2018/196
Diﬀerential Fault Attack on SKINNY Block Cipher Navid Vafaei1 , Nasour Bagheri1,2(B) , Sayandeep Saha3 , and Debdeep Mukhopadhyay3 1
Electrical Engineering Department, Shahid Rajaee Teacher Training University, Tehran, Iran
[email protected],
[email protected] 2 School of Computer Science, Institute for Research in Fundamental Sciences (IPM), Tehran, Iran 3 Department of Computer Science and Engineering, Indian Institute of Technology Kharagpur, Kharagpur, India
[email protected],
[email protected]
Abstract. SKINNY is a family of tweakable lightweight block ciphers, proposed in CRYPTO 2016. The proposal of SKINNY describes two block size variants of 64 and 128 bits as well as three options for tweakey. In this paper, we present diﬀerential fault analysis (DFA) of four SKINNY variants – SKINNY 6464, SKINNY 128128, SKINNY 64128 and SKINNY 128256. The attack model of tweakable block ciphers allow the access and full control of the tweak by the attacker. Respecting this attack model, we assume a ﬁxed tweak for the attack window. With this assumption, extraction of the master key of SKINNY requires about 10 nibble fault injections on average for 64bit versions of the cipher, whereas the 128bit versions require roughly 21 byte fault injections. The attacks were validated through extensive simulation. To the best of authors’ knowledge, this is the ﬁrst DFA attack on SKINNY tweakable block cipher family and, in fact, any practical realization of tweakable block ciphers.
Keywords: Block cipher
1
· Diﬀerential fault attack · SKINNY
Introduction
Fault analysis attacks are one of the potent practical threats to modern cryptographic implementations. Originally proposed by Boneh et al. [8] in September 1996 in the context of the RSA algorithm, fault attacks were readily extended for symmetric key cryptosystems by Biham and Shamir [6] as Diﬀerential Fault Analysis (DFA). The main idea of DFA is to analyze the XOR diﬀerential between the correct and the corresponding faulty ciphertexts to extract the secret key. So far DFAs are the most fundamental classes of fault attacks for symmetric key primitives and has been applied on several block ciphers like c Springer Nature Switzerland AG 2018 A. Chattopadhyay et al. (Eds.): SPACE 2018, LNCS 11348, pp. 177–197, 2018. https://doi.org/10.1007/9783030050726_11
178
N. Vafaei et al.
AES, PRESENT, PRINCE, SIMON and Hash algorithms like SHA3 and Grøstl [1,3,4,7,9,10,17,23–25,29]. Even with the discovery of certain other sophisticated classes of fault attacks such as Blind Fault Attack (BFA) [16], Fault sensitivity analysis (FSA) [18], Statistical Fault Attack (SFA) [11], Diﬀerential Fault Intensity Analysis (DFIA) [12] attacks, DFA still remains as a prime tool for cipher analysis mainly due to its low fault complexity and extremely relaxed fault model assumptions compared to the aforementioned attacks. SKINNY [5] is a new lightweight tweakable block cipher which was presented to compete with the NSA recent design, SIMON. The tweakable block cipher is a relatively new concept for block cipher design, originally proposed by Liskov, Rivest and Wagner in [19]. Unlike conventional block ciphers, which take a secret key and a public message as inputs, a tweakable block cipher expects another public input known as tweak. Each ﬁxed setting of the tweak is supposed to give rise to a diﬀerent, apparently independent, family of block cipher encryption operators. Informally, the security requirement of a tweakable block cipher demands the cipher to remain secure even if the adversary can observe and control the tweak. Also, from a practical point of view, changing the tweak should be more eﬃcient than altering the secret key. Tweaks have been eﬃciently utilized in past to provide resistance against certain sidechannel attacks [13,21]. Apart from that, tweakable block ciphers may ﬁnd its use for low latency implementations of several applications like memory and disk encryption [5]. SKINNY adopts the concept of tweakable block ciphers in the context of lightweight cryptography. In order to provide the tweak feature, a generalized version of the STK construction (also known as the TWEAKEY construction) [15] was utilized. On the other hand, the design of SKINNY guarantees high security against conventional diﬀerential and linear cryptanalysis. The serialized implementation on ASIC has a very small footprint. Furthermore, the SKINNY family is engineered to be highly customizable. The SubstitutionPermutationNetwork (SPN) construction of this cipher supports two diﬀerent block sizes of 64 and 128 bits. The key (termed as tweakey in SKINNY speciﬁcation) size can vary up to 512 bits. The original speciﬁcation describes the parameterized variants as SKINNY nn, SKINNY n2n and SKINNY n3n, where n denotes the block size of the cipher, and n, 2n and 3n denoting the tweakey size. As recommended by the authors of SKINNY, the tweak material is processed within the same framework as of the key material following the TWEAKEY philosophy [15]. So far, impossible diﬀerential attack for reducedround of all variants of SKINNY was presented [2,14,20,22,27]. However, no implementedbased attack was ever reported on SKINNY, to the best of the authors’ knowledge. In this context, it is worth mentioning that, evaluation against implementationbased attacks is crucial for lightweight block ciphers for which the deployment of area and powerhungry countermeasures are not economic. Also, most of the lightweight ciphers are supposed to be deployed on inﬁeld devices (e.g. RFID tags, sensor nodes) which are physically accessible by the adversaries. Consequently, implementationbased attacks like sidechannel and fault injection become highly practical for lightweight block ciphers.
Diﬀerential Fault Attack on SKINNY Block Cipher
179
In this paper we perform diﬀerential fault analysis attacks on four SKINNY variants described as SKINNY nn, SKINNY n2n (for n = 64 and 128). However, the attacks are easily extendable to the other variants. We consider the tweak may remain ﬁxed during the attack and is known to the attacker. It is found that, roughly 10 random nibble/byte fault injections at 4 diﬀerent nibble/byte locations at the beginning of the R−4th round of SKINNY (having total R iterative rounds) is suﬃcient to extract the master key for variants SKINNY nn, SKINNY n2n (while tweak is enabled). The theoretical analysis is also validated by extensive simulation experiments on software implementations of SKINNY. The rest of this paper is organized as follows. In Sect. 2, we present the speciﬁcation of the SKINNY cipher family. The DFA attacks on SKINNY are described in Sect. 3. Complexity analysis and simulation results to validate the attacks is elaborated in Sect. 4, followed by a discussion in Sect. 5, which sheds some light on the possibility of extending the attacks for other versions of SKINNY. Finally, we conclude in Sect. 6.
2
Speciﬁcation of SKINNY
In this section, we brieﬂy describe the SKINNY speciﬁcation. First, an overview of the inputoutput and key formats are provided. Next, we provide short summaries for the cipher suboperations which are relevant in the context of DFA attacks. For a detailed description of each suboperation one may refer to [5]. A summary of important notations, used throughout this paper, is given in Table 1. 2.1
General Description
SKINNY follows an SPN structure supporting two block sizes of 64 and 128 bits, respectively. For convenience, in this paper the block size is denoted as a parameter n. The input plaintext is denoted as m = m1 m2  · · · m15 m16 , with n (a cell is a nibble for 64bit block size or each mi denoting an sbit cell with s = 16 a byte for 128bit block size). Following the standard convention for representing SPN ciphers, the input as well as the internal states (IS) are arranged as 4 × 4 matrix of cells. The representation of IS is described in Eq. (1). For the sake of explanation, all the indices start from 1 (i.e. i ∈ {1, 2, 3, · · · , 15, 16})1 . Also, the indexing of the state is rowwise. ⎤ ⎡ x1 x2 x3 x4 ⎢ x5 x6 x7 x8 ⎥ ⎥ (1) IS = ⎢ ⎣ x9 x10 x11 x12 ⎦ x13 x14 x15 x16 Following the TWEAKEY framework of [15], in SKINNY the tweak and the key material are handled in a uniﬁed way. The cipher receives a tweakey input 1
Throughout this paper, the array/state indices start from 1.
180
N. Vafaei et al. Table 1. Frequently used notations Notation Explanation n
Block size
s
Width of each cell in bits (s =
R
Total number of rounds
t
Total length of the tweakey
z
t n
T Kl
The lth tweakey array (l ∈ {1, 2, 3})
L2
The LFSR corresponding to the tweakey array T K2
n ) 16
L3
The LFSR corresponding to the tweakey array T K3
IS
Internal state
IS r
The internal state at round r
r T Kl,i
The ith keycell of the tth tweakey array at the rth round
Xir Yir Zir Uir Vir
The ith cell at the input state of Subcells at round r
Rconri ΔAri
The ith cell of the round constant at round r
Ci
The ith cell of the correct ciphertext
Ci∗
The ith cell of the faulty ciphertext
The ith cell at the input state of AddConstants at round r The ith cell at the input state of AddRoundTweakey at round r The ith cell at the input state of ShiftRows at round r The ith cell at the input state of MixColumns at round r The ith cell of the diﬀerential of correct and faulty computation at some internal state A at round r
of length t as tk = tk1 tk2  · · · tk16z . Here, tki is an sbit cell and z = nt . In general, three tweakey lengths of t = nbit, t = 2nbit and t = 3nbit are supported. The tweakey state is arranged into three 4 × 4 matrices for diﬀerent values of z 2 . Precisely, for 1 ≤ i ≤ 16, T K1 = tki when z = 1, T K1 = tki , T K2 = tk16+i when z = 2, and T K1 = tki , T K2 = tk16+i , T K3 = tk32+i when z = 3. Just like the internal state, the tweakey states are also arranged rowwise in the matrices T K1 , T K2 and T K3 3 . At this point, it is worth mentioning that the TWEAKEY framework of SKINNY provides a very ﬂexible mean of switching between the tweakenabled and tweakfree version of the cipher. In the classical tweakfree setting all three matrices T K1 , T K2 and T K3 can be loaded with keymaterial. On the other hand, it is recommended that the tweakenabled version should only use the T K1 2 3
The terms tweakey and key have been used interchangeably throughout this paper, whereas to indicate the public material we use the term tweak. Tweakey/key states and tweakey/key arrays have been used interchangeably with the same meaning in this work.
Diﬀerential Fault Attack on SKINNY Block Cipher
181
matrix to handle the tweak material. This ﬂexible uniﬁed way of processing the key and the tweaks, however, somewhat simpliﬁes the DFA attacks, as we shall show later in this paper. In the next subsection, we provide necessary details of diﬀerent suboperations of SKINNY. Table 2. Number of rounds of SKINNY for diﬀerent input and tweakey sizes Block size (n)/tweakey size (z) 1
2.2
2
3
64 bits
32 rounds 36 rounds 40 rounds
128 bits
40 rounds 48 rounds 56 rounds
Specification of Suboperations
The speciﬁcation of SKINNY describes iterative rounds consisting total 5 suboperations – SubCells (SC), AddConstants (AC), AddRoundTweaks (ART), ShiftRows (SR), and MixColumns (MC). The number of rounds depends on input and tweakey sizes (see Table 2). Figure 1 presents a schematic representation of the SKINNY round function [5].
Fig. 1. The SKINNY round function
SubCells(SC): The SBox suboperation of SKINNY applies a nonlinear bijective transformation on each cell of the internal state (IS). Following the notational conventions of this paper, the SBox transformation can be represented as (2) Yir = S(Xir ), with 1 ≤ i ≤ 16, 1 ≤ r ≤ R where Xir and Yir present input and output cells of the rth round SBox suboperation. SKINNY utilizes s × s SBoxes depending on the block size n. The SBox for s = 4 is shown in Table 3, which is constructed using a simple bitlevel nonlinear transform followed by bit rotations. We do not show the SBox for s = 8 which is constructed using a similar philosophy. Further details on the SBoxes can be found in [5]. Table 3. The 4bit Sbox used in SKINNY64 in hexadecimal form. x
0 1 2 3 4 5 6 7 8 9 A B C D E F
S4 [x] C 6 9 0 1 A 2 B 3 8 5 D 4 E 7 F
182
N. Vafaei et al.
AddConstants(AC): This suboperation of SKINNY adds the round constants (Rcon) with the internal state. Mathematically, Zir = Yir ⊕ Rconri , with 1 ≤ i ≤ 16, 1 ≤ r ≤ R. The constants are generated using a 6bit aﬃne Linear Feedback Shift Register (LFSR). AddRoundTweakey(ART): The ART suboperation of SKINNY applies keywhitening to the two ﬁrst rows of the IS. The tweakkey array T K1 (also T K2 and T K3 whenever applicable) is maintained as 4 × 4 states of sbit cells, just like the IS. The ﬁrst two rows of T Kl (l ∈ {1, 2, 3}) are extracted and bitwise XORed with IS, respecting the array positioning. In other words, r Uir = Zir ⊕ T K1,i , for z = 1 r r r r Ui = Zi ⊕ T K1,i ⊕ T K2,i , for z = 2
r r r Uir = Zir ⊕ T K1,i ⊕ T K2,i ⊕ T K3,i , for z = 3
(3) (4) (5)
where, 1 ≤ i ≤ 8, and 1 ≤ r ≤ R. As it is shown in Fig. 2, the tweakey arrays are updated using 2 linear functions. First, a cellwise permutation P T is applied on each cell, which is followed by the application of a cellwise LFSR only for the cells of the ﬁrst two rows of the 4 × 4 key states. Equation (6) shows the permutation P T , whereas, Eq. (7) presents the LFSRs corresponding to T K2 and T K3 (for diﬀerent cell sizes). For convenience, we represent the LFSR for T K2 as L2 and that for T K3 as L3 , respectively. It is worth mentioning that, no LFSR is applied on T K1 . P T = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7]
(6)
(x4 x3 x2 x1 ) → (x3 x2 x1 x4 ⊕ x3 ), for T K2 and s = 4
(7)
(x8 x7 x6 x5 x4 x3 x2 x1 ) → (x7 x6 x5 x4 x3 x2 x1 x8 ⊕ x6 ), for T K2 and s = 8 (x4 x3 x2 x1 ) → (x1 ⊕ x4 x4 x3 x2 ), for T K3 and s = 4 (x8 x7 x6 x5 x4 x3 x2 x1 ) → (x1 ⊕ x7 x8 x7 x6 x5 x4 x3 x2 ), for T K2 and s = 8
ShiftRows(SR): The SR suboperation performs a cellwise rightrotation of 0, 1, 2 and 3 cells for the ﬁrst, second, third and fourth row of IS. According to the notations used in this paper, it is written as, Vir = UPr [i] , with 1 ≤ i ≤ 16, 1 ≤ r ≤ R
(8)
P = [0, 1, 2, 3, 7, 4, 5, 6, 10, 11, 8, 9, 13, 14, 15, 12]
(9)
where, P is given as, MixColumns(MC): The ﬁnal suboperation of SKINNY multiplies the IS with a 4 × 4 matrix M. More precisely, we have X r+1 = M × V r , with M given as, ⎡ ⎤ 1011 ⎢1 0 0 0⎥ ⎥ M=⎢ (10) ⎣0 1 1 0⎦ 1010
Diﬀerential Fault Attack on SKINNY Block Cipher
183
Fig. 2. The tweakey schedule
From the next section onwards, we shall describe the DFA attacks on SKINNY nn and SKINNY n2n.
3
Diﬀerential Fault Analysis of SKINNY
The main concept behind DFA attacks is to a inject localized fault in the computation and then to analyze the XOR diﬀerence between the correct and the corrupted computation, starting from the correct and the corresponding faulty ciphertexts. Following this basic approach, in this section, we present key recovery attacks on two SKINNY variants – SKINNY nn and SKINNY n2n. For the ﬁrst variant, we assume that no tweak is present, whereas, in the second variant it is assumed that T K1 carries the tweak material and T K2 carries key material. In the following subsection, we present the attack model. The attacks will be presented in subsequent subsections. 3.1
Attack Model
The attacks in the paper are based on the following assumptions: – The attacker can observe the tweak (if exists) but and can ﬁx it to a certain known value. Although, it is a relatively strong assumption, the security model of tweakable block ciphers allow the control of the tweak material. Any breach of security following this attack model can be considered as a potential threat. – The attacker can inject random byte (or nibble faults if n = 64) faults in the datapath of SKINNY. The injected faults can be controlled to corrupt the data in a speciﬁc round. In the context of DFA attacks, it is practical and, in fact, the minimal assumption. Further, we assume that the attacker does not know the location of the corrupted byte/nibble. This is also a fairly reasonable and relaxed assumption in the context of fault attacks. Throughout this paper, the attacks will be described on parameterized versions of the cipher. In the next subsection we describe the basic attack on SKINNY nn.
184
3.2
N. Vafaei et al.
DFA on SKINNY nn
Let us assume that an sbit fault (nibble fault for 64 bit versions and byte fault for 128 bit versions), f is injected at the ﬁrst cell of the SKINNY state at the beginning of round R − 4 (in other words, the fault corrupts X1R−4 ). The propagation of the fault diﬀerential is shown in Fig. 3. Referring to Fig. 3, we introduce new variables (f, F, G, H etc.) while the fault diﬀerential propagates through a nonlinear (SBox) operation. This is because the diﬀerential
R4 f
f’
f’
f’
f’
ART
AC
SB
SR
R3 f’
MC
F1
SB
f’
f’
F1
F1
AC
F2
F3
ART
F2
F1
SR
F2
F2
F3
F3
F3
R2 F1
MC
F3
G1
SB
F1 F2
G1
G5
AC
G2 G4
F1
G1
G5
ART
G2 G4
G3
G1
G5
SR
G2
G5 G2
G4
G3
G4 G3
G3
R1 G5+G4 +G3 G5
G1
MC
G1
SB
H1
H5
H2
H6 H4
G4
G2
G5+G4
G1
AC
H1
H5
H2
H6 H4
H7
H3
H1
H5
H2
H6
H7
H3
H8
ART
H4
H8
H1
SR
H6
H4
H7
H7
H3
H5 H2
H8 H3
H8
R H1
MC
H7
H4+H3 +H5
J1
H5
J2
H6
H2+H7
H4
H1
H7
H4+H5
J7+J1 J11+J5
MC
H8
H1
SB
J5
J8
J1
J9 J10
AC
J5
J8
J9 J10
J2
J1
ART
J5
J8
J9 J10
J2
J3
J6
J11
J3
J6
J11
J3
J6
J11
J4
J7
J12
J4
J7
J12
J4
J7
J12
SR
J1
J5
J10
J2 J11
J7
J8
J9
J3
J6
J12
J4
J3+J12 J6+J4 +J9 +J8
J1
J5
J8
J9
J10
J2+J11
J3
J6
J1
J11+J5 J3+J8 J6+J9
Fig. 3. The fault propagation pattern in SKINNY with the fault induced at the 1st cell in the beginning of round (R − 4). Each variable represents a nonzero fault diﬀerential and each empty cell specify a zero diﬀerential.
Diﬀerential Fault Attack on SKINNY Block Cipher
185
propagation through an SBox is not a bijective mapping. On the other hand, fault propagation through linear diﬀusion layers is fully bijective. Also, the diﬀusion layer, especially the MixColumns suboperation is responsible for the spread (fault diﬀusion) of the fault throughout the state. Discovering the Injection Location: Figure 4 describes all the fault diﬀusion patterns for 16 possible fault injection locations at round R−4. The patterns are computed up to the penultimate MixColumns operation (that is up to the end of R − 1th round.). However, the patterns remain the same up to the input of the MC operation at round R. It is interesting to observe that all these fault patterns are distinct (except the 4 where the fault is injected at cells from the third row). The distinctness of the fault patterns can be observed by the attacker if she just applies inverse MixColumns on the diﬀerential ΔC of the correct ciphertext C and faulty ciphertext C ∗ . Due to this correspondence between the injection locations and the fault patterns, the attacker can uniquely deduce the injection location of the fault. The only exception happens for injections in the third row. The attacker, in this case, can run the attacks assuming all 4 possible positions, one at a time. The attack complexity will increase 4 times for these cases which is reasonable.
Fig. 4. The fault propagation pattern for each fault location at round R − 4. Here f indicates the fault injection location and it the colored pattern presents the fault diﬀusion pattern upto the MixColumns of the penultimate round (that is at the output of round R − 1).
186
3.3
N. Vafaei et al.
Key Recovery Attack
Most of the DFA attacks on block ciphers exploit diﬀerence equations constructed across the nonlinear layers (e.g. SBoxes) to recover the secret keys. More formally, we are interested in the solutions for x in the equations SC(x ⊕ Δip ) ⊕ SC(x) = Δo , where Δip and Δo denote the input and output diﬀerentials of the nonlinear layers, respectively and SC denotes the nonlinear suboperation (SBox for most of the modern block ciphers). The equations are the same for inverse operations and expressed as SC −1 (x⊕Δo )⊕SC −1 (x) = Δip . In the context of DFAs, the quantity x indicates a part of the unknown key. In most of the cases, we are interested in the inverse SBox equations. From now onwards we shall denote them as fault diﬀerence equations 4 . One can write several such equations corresponding to each SBox under consideration. The main idea is to solve this system of equations for keys, with the output diﬀerentials Δo known. The input diﬀerentials Δip may not be fully known to the adversary. However, at least some partial knowledge of Δip must be there, so that the correct key candidates can be distinguished from the wrong key candidates. For example, in [28], it was shown that for AES, the input diﬀerentials for 4 SBoxes are linearly related. Such linear relations on the input diﬀerentials reduced the key space of AES from 2128 to 28 . A critical factor at this point is the number of solutions for keys of the aforementioned diﬀerence equations. The SBoxes typically behave as nonbijective mappings while given a diﬀerential as input (this leads to Diﬀerential Distribution Tables (DDTs)). As a result, for the same inputoutput diﬀerential one may obtain multiple solutions for x, as well as, 0 solutions for some inputoutput diﬀerentials which are known as impossible diﬀerentials. To handle multiple solutions, in DFA, the average number of solutions for one diﬀerence equation over the complete DDT is considered for calculation. If both the Δip and Δo are known exactly, no impossible diﬀerential can happen (as otherwise, there will be no solution for the key which is a contradiction). In such cases, the average is to be taken over the nonzero part of the DDT [26]. In the case of SKINNY, the key extraction is somewhat simpler as the attacker can observe both the Δip and Δo for several cases. The cause for this will be elaborated soon in the subsequent paragraphs. For the time being, we are interested in calculating the average number of nonzero solutions for the fault diﬀerence equations. Table 4, presents the DDT for the 4 × 4 SBox of SKINNY. The average number of nonzero solutions for this SBox is 2.63. We elaborate the fault propagation in SKINNY through Fig. 3, which presents a fault propagation pattern for the fault injected at cell 1, at the beginning of round R − 4. The last grid in Fig. 3 denotes the ciphertext diﬀerential ΔC. One can apply the inverse of MC and SR to reach the output of the ART suboperation, which, according to the nomenclature of this paper is denoted as U R . At this point, one needs to guess the keys for the two upper rows of the 4
Note that in this paper we have used both the term diﬀerence and diﬀerential. Both have the same meaning in the context of this paper.
Diﬀerential Fault Attack on SKINNY Block Cipher
187
Table 4. Diﬀerential inputoutput of SubCells of SKINNY 64 Input/output 0
1 2 3 4 5 6 7 8 9 A B C D E F
0
16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1
0
0 0 0 0 0 0 0 4 4 4 4 0 0 0 0
2
0
4 0 4 0 4 4 0 0 0 0 0 0 0 0 0
3
0
0 0 0 0 0 0 0 2 2 2 2 2 4 2 2
4
0
0 4 0 0 0 2 2 0 0 0 4 2 2 0 0
5
0
0 4 0 0 0 2 2 0 0 4 0 4 2 0 0
6
0
2 0 2 2 0 0 2 2 0 2 0 0 2 2 0
7
0
2 0 2 2 0 0 2 0 2 0 2 2 0 0 2
8
0
0 0 0 4 4 0 0 0 0 0 0 2 2 2 2
9
0
0 0 0 4 4 0 0 0 0 0 0 2 2 2 2
A
0
0 0 0 0 4 4 0 2 2 2 2 0 0 0 0
B
0
4 0 4 0 0 0 0 0 0 0 0 2 2 2 2
C
0
0 4 0 0 0 2 2 4 0 0 0 0 0 2 2
D
0
0 4 0 0 0 2 2 0 4 0 0 0 0 2 2
E
0
2 0 2 2 0 0 2 0 2 0 2 0 2 2 0
F
0
2 0 2 2 0 0 2 2 0 4 0 2 0 0 2
state in order to invert the ART suboperation. However, the two lower rows do not require any key addition and they can be easily inverted up to the input of the SC suboperation. Mathematically, thus we have, R
ΔXi = SC = SC
−1
−1
(AC
R
(Yi ) ⊕ SC
−1
(ART
−1
−1
∗R
(Yi
(SR
−1
)
(M C
−1
(C)i )))) ⊕ SC
−1
(AC
−1
(ART
−1
(SR
−1
(M C
−1
∗
(C )i ))))
(11) which is valid for i ∈ {9, 10 · · · , 16}. On the other hand, for i ∈ {1, 2, · · · , 8} we have, ΔXiR = SC −1 (YiR ) ⊕ SC −1 (Yi∗R ) R = SC −1 (AC −1 (ART −1 (SR−1 (M C −1 (C)i ) ⊕ T K1,i )))⊕ R ))) SC −1 (AC −1 (ART −1 (SR−1 (M C −1 (C ∗ )i ) ⊕ T K1,i
(12) In both the Eqs. (11) and (12), M C −1 (C)i and M C −1 (C ∗ )i denote ith cell of the input of the MixColumns suboperation. The basic diﬀerence between Eqs. (11) and (12) is that for the former XiR can be uniquely determined from the correct and the faulty ciphertexts, whereas for the later XiR is unknown and depends on R . The set equations represented by Eq. (12) actually the guessed value of T K1,i provides the fault diﬀerence equations as follows,
188
N. Vafaei et al.
ΔXiR = SC −1 (YiR ) ⊕ SC −1 (Yi∗R ) R R ) ⊕ SC −1 (UiR ⊕ ΔUiR ⊕ T K1,i ) = SC −1 (UiR ⊕ T K1,i
(13)
where ΔUiR = UiR ⊕ Ui∗R . Note that i ∈ {1, 2, · · · 8}. Referring to the Fig. 3, ΔXiR indicates the fault diﬀerentials at the beginning of the Rth round (in other words, the diﬀerentials at the output of R−1th round MC.). Interesting linear patterns can be observed at this stage of computation between ΔXiR s for diﬀerent values of i. For example, let us consider ΔX1R , ΔX5R R and ΔX13 . From Fig. 3 we have, R ΔX1R = ΔX5R = ΔX13 = H1 .
(14)
R Now, according to the previous analysis, ΔX13 is uniquely known to the adversary. Utilizing this fact, we can solve Eq. (13) for i = 1 and i = 5. As in this case both the input and output diﬀerences are known and we can expect 2.63 solutions R R and T K1,5 . In general, another one or two injections at on average for T K1,1 the same fault location returns the unique key for this cell. Similarly, from Fig. 3 R R = H7 , which eventually returns 2.63 solutions for T K1,2 , we have, ΔX2R = ΔX14 which can further be reduced to an unique solution with another fault (or 2 more faults in some rare cases). R R R R , ΔX16 we have ΔX12 = H4 and ΔX16 = H4 ⊕ H5 . In the case of ΔX12 Using these two, the unique value of H5 can be computed which is equal to R can be obtained. Overall, we can ΔX8R . Consequently, unique solution for T K1,8 R R R R uniquely with 23 faults extract 4 key cells T K1,1 , T K1,2 , T K1,5 , and T K1,8 injected at the 1th cell at the beginning of round R − 4 on average. It is worth mentioning that, the rest of the 4 key cells cannot be extracted with the fault location set at the ﬁrst cell of round R − 4. The reason is twofold. R R and ΔX15 are always 0, due Firstly, one should observe that ΔX6R , ΔX7R , ΔX11 to incomplete diﬀusion of the fault. No key extraction is possible for these cases, as the fault diﬀerence equation returns only one trivial solution 0, while both the input and output diﬀerentials are 0. The second situation takes place for ΔX3R and ΔX4R . For the sake of explanation, let us ﬁrst consider ΔX4R which assumes value H3 + H4 + H5 . Although, H4 + H5 is known, the value of H3 is unknown. As a result, ΔX4R will assume all possible 2s values (28 for n = 128, and 24 for n = 4)5 . For a similar reason, no key can be extracted with ΔX3R .
Extraction of the Remaining Rth Round Keys: For the extraction of R R R R T K1,3 , T K1,4 , T K1,6 , and T K1,7 another fault injection is essential. It is apparent that there is no gain if the fault location is kept unaltered. So, the next injection should happen at a diﬀerent fault location. Choice of the fault location is crucial in this case as according to Fig. 4, diﬀerent fault location enables 5
Actually this claim is not entirely true. In fact, depending on the value of the output diﬀerential, only a certain set of input diﬀerentials will satisfy the fault diﬀerence equation for this case, whose count is expected to be < 2s . However, to exploit this observation a lot of fault injections will be required. As we shall show, that we can perform the attack with much less number of faults.
Diﬀerential Fault Attack on SKINNY Block Cipher
189
extraction of diﬀerent key cells. Further, the sets of extracted key cells corresponding to two diﬀerent fault locations may have intersections. In other words, two fault locations may lead to the extraction of same key cells twice, while some of the key cells may still remain unexplored. The solution to this issue is to select two fault locations for which the resulting fault patterns are nonoverlapping. As a concrete example, we present the fault pattern for the fault injected at the 3rd cell at the beginning of round R − 4 (see Fig. 5). For this fault pattern we can R R R R , T K1,4 , T K1,6 , and T K1,7 . This completes the extraction of the extract T K1,3 complete round key of the round R (the last round). The fault complexity of the attack is 2×2.6 = 5.2 faults on average. However, it is worth noting that depending on the value of the plaintext and the injected faults, the number of faults may vary. The reason behind this fact is that during the analysis, we consider the average case for which 2.6 solution is expected from the diﬀerence equations. However, from the diﬀerential distribution table of the 4 × 4 SKINNY SBox in Table 4, it can be seen that for a known inputoutput diﬀerence pair, either 2 or 4 solutions are possible for most of the cases. Although this count should get averaged out while diﬀerent equations are considered together, in practice we may require more or fewer faults in some cases. However, the number of extra injections (or fewer injections) are consistent, in general, with the theoretical estimate and do not inﬂuence the eﬃciency or the attack strategy. Extraction of the Master Key: The SKINNY key schedule uses only half of the entire key material in each round. Figure 6 describes the two consecutive stages of the SKINNY tweakey schedule. As we are considering SKINNY nn versions, T K1 is the only tweakey state involved, which just permutes the tweakey cells using the permutation P T . It can be observed that completely independent tweakey cells are used in two consecutive rounds. Consequently, the last round key exposes only half of the tweakey state and in order to obtain the master key, the penultimate round key should also be extracted. The goal now is to extract two consecutive round keys with minimum number of fault injections. The straightforward way of minimizing the fault injections is to reuse the fault propagation patterns we obtained to extract the last round key. Once the last round keys are extracted, the last round can be inverted. Now the fault diﬀerence equations, corresponding to the fault pattern of Fig. 3, can be constructed for round R − 1 as follows, R−1
ΔXi
= SC
= SC
−1
(AC
−1
−1
R−1
(Yi
(ART
) ⊕ SC
−1
(SR
−1
−1
∗R−1
(Yi
(M C
−1
) R
(X )i )))) ⊕ SC
−1
(AC
−1
(ART
−1
(SR
−1
(M C
−1
(X
∗R
)i ))))
(15) Here, i ∈ {9, 10, · · · , 16}. For the rest of the cells we have, ΔXiR−1 = SC −1 (YiR−1 ) ⊕ SC −1 (Yi∗R−1 ) R−1 = SC −1 (AC −1 (ART −1 (SR−1 (M C −1 (X R )i ) ⊕ T K1,i )))⊕ R−1 SC −1 (AC −1 (ART −1 (SR−1 (M C −1 (X ∗R )i ) ⊕ T K1,i )))
(16)
190
N. Vafaei et al. f
f’
f’
f’
f’
ART
AC
SB
SR
R3 f’
F1
F1
SB
f’
MC
AC
F2
f’
F1
ART
F2
F3
F3
F1
SR
F2
F2
F3
F3
R2 F1
F3
MC
G1
F1
SB
G1
G2
AC
G3
F2
G2
G2
SR
G3
G3 G5
G5
G4
G4
G1
G2
G5
G5
F1
G1
ART
G3
G4
G4
R1 MC
G4+G5 +G1
G2
G1
G2
H1
SB
G5
H3
G3
G5+G1
H1
H5
AC
H2 H6
G2
H1
H5
ART
H2 H6
H8
H3
H4 H7
H1
H5
SR
H2 H6
H8
H3
H4 H7
H5 H2
H8
H8
H4 H7
H6 H3
H4 H7
R H4
MC
H7+H8 +H1 H1
H5
H3
J1
H5
H8
H2
H6+H3
H8+H1
H5
H3
SB
J2
J6
J1
J10
AC
J2
J6
J3
J7
J1
J10
ART
J2
J6
J3
J7
J10
J1
J2
J6
SR
J3
J3
J7
J4
J8
J11
J4
J8
J11
J4
J8
J11
J8
J11
J5
J9
J12
J5
J9
J12
J5
J9
J12
J5
J9
J10 J7 J4
J12
J8+J5 J9+J11 J6+J12 J10+J4 +J1 +J2
MC
J1
J2
J6
J10
J8
J11
J3
J4+J7
J6
J10+J4
J1+J8 J11+J2
Fig. 5. The fault propagation pattern in SKINNY with the fault induced at the 3rd cell in the beginning of round (R − 4) (at cell number 3). Each variable represents a nonzero fault diﬀerential and each empty cell specify a zero diﬀerential. K1
K2
K3
K4
K5
K6
K7
K8
K9
K10
K11
K13
K14
K15
K3
K1
K5
K8
K7
K4
K6
K2
K9
K10
K11
K12
K13
K14
K15
K16
K12
K3
K1
K5
K8
K’11 K’9 K’13 K’16
K16
K7
K4
K6
K2
K’15 K’12 K’14 K’10
PT
Round r
PT
Round r+1
Fig. 6. The usage of the key material in SKINNY for tweakey array T K1 .
Diﬀerential Fault Attack on SKINNY Block Cipher
191
In both the equations M C −1 (X R )i and M C −1 (X ∗R )i denote the ith cells of the inverse MixColumns suboperation corresponding to the correct and the faulty ciphertexts, respectively. R−1 R−1 R−1 , T K1,5 and T K1,8 ) It follows from Fig. 3 that only 3 key cells (T K1,1 can be extracted uniquely with this fault pattern. None of the rest can, however, be extracted. Considering the other pattern from Fig. 5, we can extract total 6 R−1 R−1 R−1 R−1 R−1 R−1 , T K1,5 , T K1,8 , T K1,3 , T K1,6 and T K1,7 ). To extract key cells (T K1,1 rest of the key cells we need to inject more faults. Unfortunately, none of the two remaining fault patterns in the ﬁrst row is able to extract the rest of the R−1 R−1 and T K1,4 ) alone. As a result we need to inject two two key cells (i.e. T K1,2 more faults (each twice) at cell 2 and cell 4 at the beginning of round R − 4. In summary, total 4 × 2.63 = 10.55 injections are required to uniquely determine the complete key state T K1 of SKINNY. Once the full key state is recovered, the initial master key can be recovered trivially. Exploring Other Fault Locations: One interesting observation for SKINNY is that the fault patterns are quite diverse for diﬀerent fault locations. For example, if a cell from the third row is corrupted at round R − 4, the fault diﬀusion is complete within the penultimate round (see Fig. 4). Another distinct case happens for an injection in the second row, for which one can extract 5 key cells at the last round. It may seem that the second or third row is a better place for injecting faults. However, this is not entirely true because of the fact that we need to extract keys from two consecutive rounds. In fact, we observe that at least 4 distinct fault locations are always required to extract these key cells (multiple injections at each location are required). Alternatively, one may consider injections at the round R − 3. However, the required number of injections is more for this case since the fault diﬀusion can not be complete at the penultimate round.
K1
K2
K3
K4
K5
K6
K7
K8
K9
K10
K11
K13
K14
K15
K9
K10
K11
K12
K13
K14
K15
K16
K12
K3
K1
K5
K8
K3
K1
K5
K8
K16
K7
K4
K6
K2
K7
K4
K6
K2
K’9 K’10 K’11 K’12
K3
K1
K5
K8
K’3
K’1
K’5
K’8
K’13 K’14 K’15 K’16 PT
K7
K4
K6
K2
K’7
K’4
K’6
K’2
PT
K’9 K’10 K’11 K’12 L1
L1
K’13 K’14 K’15 K’16
K3
K1
K5
K8
K’11 K’9 K’13 K’16
K’11 K’9 K’13 K’16
K7
K4
K6
K2
K’15 K’12 K’14 K’10
K’15 K’12 K’14 K’10
Fig. 7. The usage of the key material in SKINNY in tweakey array T K2 .
192
3.4
N. Vafaei et al.
DFA on SKINNY n2n
The attack described in the last two subsections only targets the case, while only T K1 is used (that is for z = 3). However, the SKINNY speciﬁcation allows two other cases for z = 2 and z = 3. Most importantly, the tweaks can be allowed. As already pointed out in Sect. 2.2, the T K1 is recommended for processing the public tweak material. In this section, we shall extend the basic attack on SKINNY, for one of the cases where the tweak can be incorporated. More speciﬁcally, we consider the cases where T K1 is used for the tweak and T K2 is used for original key material. Figure 7, describes the tweakey schedule of SKINNY for T K2 . Also, we have already depicted the tweakey schedule for T K1 in Fig. 6. The ﬁrst thing to observe in both the cases is that the complete tweakey state is divided into two consecutive rounds. So, just like the previous attack, we have to extract the key materials for two consecutive cases. However, unlike the previous case, where we m m obtained some permutation Lm 1 of T K1 , here we obtain L1 (T K1 ) ⊕ L2 (T K2 ), where L1 and L2 denote the linear operations on T K1 and T K2 , respectively. The L1 in this case simply denote the permutation P T whereas L2 represents the combined eﬀect of the P T and the LFSR on T K2 . The index m is added here just to indicate the repeated use of these linear operations. In order to extract the master key we need to extract T K1 and T K2 sepam rately from Lm 1 (T K1 ) ⊕ L2 (T K2 ). However, it is fairly straightforward in this case as the tweak T K1 is public. The attacker can simply compute Lm 1 (T K1 ) and m extract Lm 2 (T K2 ). Once the L2 (T K2 ) is obtained, the T K2 can be determined by simply inverting the LFSR and the Permutation round by round. Although, the attack is fairly simple the consequence is important. It clearly indicates that the tweaks in SKINNY do not provide any extra protection against fault attack if kept ﬁxed even for a couple of invocations of the cipher. Although the safest alternative is to change it in every invocation, it might not be easy for resourceconstraint devices for which lightweight ciphers are actually meant for. Another obvious alternative is to keep the tweak secret. However, the attacker m can still obtain the whole information regarding Lm 1 (T K1 ) ⊕ L2 (T K2 ), which can provide signiﬁcant entropy reduction for both T K1 and T K2 if not exposes them completely.
4
Fault Attack Complexity and Simulation Results
In this section, we summarize the complexity analysis of the attack. Further, we provide experimental support for the attacks described. The experiments were performed on an Intel Corei5 machine with 8GM RAM and 1TB main memory. The simulation platform was MATLAB2013b. 4.1
Fault Attack Complexity in SKINNY
The attack complexities were already mentioned at diﬀerent places during describing the attacks. Here we summarize them, just for the sake of clarity. With
Diﬀerential Fault Attack on SKINNY Block Cipher
193
the faults injected at the granularity of cells (that is 4bit faults for SKINNY 6464 and SKINNY 64128 and 8 bit faults for SKINNY 128128 and SKINNY 128256) at the beginning of the R − 4th round, we require total 4 fault injection locations on average to extract the keys from last two rounds, which gives the complete key state. Further, taking the average number of nonzero solutions for each SBox into consideration, the number of solutions for a single key cell of interest becomes 2.63. Among these 2.63 solutions, only one is the correct one. So, with roughly 2–3 more injections at the same location, a unique key can be recovered. Overall, for the 4 × 4 SBoxes, we thus require total 4 × 2.63 = 10.55 injections. 4.2
Simulation Results
In order to validate the theoretical analysis, we performed extensive experiments through simulation. Here we present the results for SKINNY64, for which we inject nibble faults. In order to get the general picture, faults were randomly injected at diﬀerent locations of the internal state (we carefully avoided repetitions in one attack campaign, i.e. for each complete attack only 4 distinct random fault locations were considered.) at the beginning of round R − 4. Simulations were performed for 10000 random plaintextkey samples. Further, for each plaintextkey pair, 256 random(consists diﬀerent location of faults with various value) injections were considered in order to consider the eﬀect of diﬀerent fault values and the average is taken. Figure 8, presents the histograms for the number of faults required. Here we only present the results for SKINNY 6464 and SKINNY 128128 as the other conﬁgurations show similar trends. It can be observed that the average number of injections for SKINNY 6464 is 10.6, which almost perfectly matches with the theoretically obtained average of 10.55. However, the theoretical average number of faults for the 8 × 8 SBox of SKINNY 128128 is about 21. In simulation, however, we obtain an average around 17. The discrepancy of the simulation and theoretical result in this case can be attributed to the fact that in most of the cases of the 8 × 8 SBox, one obtain 2 or 4 solutions, and for a relatively less number of cases obtains 8 solutions (it is a purely statistical observation from the experiments). Due to this bias, the experimental average tends to remain near 17, whereas the theoretical average, which assigns uniform weight to all 2, 4, 6 and 8 solution cases, results in an overestimation. Further, one should also observe the tails of the histograms towards higher fault counts. One important feature of SKINNY attacks is that not every fault location returns an equal number of keys. Also, not every sequence of locations is equally eﬀective. The large fault counts indicate some of these illconditioned fault sequences, which may also have a large number of solutions corresponding to each of their fault diﬀerence equations. The execution time for the attacks is another important parameter. Figure 9, presents the execution time for the attacks from simulation. Note that, some of the practical issues like the probability of a successful fault injection, or acquisition time for faulty ciphertexts are ignored in this simulationbased experiments.
194
N. Vafaei et al.
#Plaintextkey pairs
#Plaintextkey pairs Number of Faults
Number of Faults
(b)
(a)
Fig. 8. Histogram showing the number of faults required for diﬀerent random plaintextkey pairs.
#Plaintextkey pairs
#Plaintextkey pairs Attack time (sec.)
Attack time (sec.)
(b)
(a)
Fig. 9. Histogram showing the attack timing for diﬀerent random plaintextkey pairs. An attack is considered complete while all the targeted key cells are uniquely discovered.
Here each fault is injected with 100% success probability. It can be observed that the average attack time ranges from 0.28 s (for SKINNY 6464) to 0.38 s (for SKINNY 128128). All the average counts have been summarized in Table 5. Table 5. Average number of faults required to specify round keys Version
Avg. number of faults Avg. time for key recover
SKINNY 64
10.6
0.28
SKINNY 128 16.7
0.38
Diﬀerential Fault Attack on SKINNY Block Cipher
5
195
Discussion
It is worth mentioning that, the existence of tweaks do not inﬂuence the complexity of the attacks, until it is kept ﬁxed. It directly follows from the theoretical analysis we presented in Sect. 3.4. Also, the basic attack for key extraction described in this paper works for other versions of SKINNY (e.g. SKINNY n3n and derivatives of them). However, extraction of the master keys will change. For example, considering the attacks on SKINNY n3n, with T K1 used for tweak, one need to extract both T K2 and T K3 . Future extension of this work will describe attacks for these cases.
6
Conclusion
In this paper, we presented DFA attacks on SKINNY nn and SKINNY n2n. It has been observed that key extraction of SKINNY requires faults to be injected at diﬀerent locations of the state, that too multiple times. We also presented supporting experimental validation of the theoretical analysis presented. One very crucial observation was that the public tweak does not provide any added security against fault injection attacks if kept ﬁxed for only a couple of invocations of the cipher. In future, the attacks can be extended for other SKINNY versions. A very important extension could be to extend the attacks for variable tweaks. Another potential direction for future work would be to design suitable lightweight fault attack countermeasures for SKINNY.
References 1. Ali, S.S., Mukhopadhyay, D.: A diﬀerential fault analysis on AES key schedule using single fault. In: 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 35–42. IEEE (2011) 2. Ankele, R., et al.: Relatedkey impossiblediﬀerential attack on reducedround SKINNY. Technical report, Cryptology ePrint Archive, Report 2016/1127 (2016). http://eprint.iacr.org/2016/1127, 2017 3. Bagheri, N., Ebrahimpour, R., Ghaedi, N.: New diﬀerential fault analysis on present. EURASIP J. Adv. Sig. Process. 2013(1), 145 (2013) 4. Bagheri, N., Ghaedi, N., Sanadhya, S.K.: Diﬀerential fault analysis of SHA3. In: Biryukov, A., Goyal, V. (eds.) INDOCRYPT 2015. LNCS, vol. 9462, pp. 253–269. Springer, Cham (2015). https://doi.org/10.1007/9783319266176 14 5. Beierle, C., et al.: The SKINNY family of block ciphers and its lowlatency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). https://doi.org/10.1007/97836625300855 6. Biham, E., Shamir, A.: Diﬀerential fault analysis of secret key cryptosystems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052259 7. Bl¨ omer, J., Seifert, J.P.: Fault based cryptanalysis of the advanced encryption standard (AES). In: Wright, R.N. (ed.) FC 2003. LNCS, vol. 2742, pp. 162–181. Springer, Heidelberg (2003). https://doi.org/10.1007/9783540451266 12
196
N. Vafaei et al.
8. Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997). https://doi.org/10.1007/3540690530 4 9. Chen, H., Feng, J., Rijmen, V., Liu, Y., Fan, L., Li, W.: Improved fault analysis on SIMON block cipher family. In: 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 16–24. IEEE (2016) 10. De Santis, F., Guillen, O.M., Sakic, E., Sigl, G.: Ciphertextonly fault attacks on ¨ urk, E. (eds.) LightSec 2014. LNCS, vol. 8898, PRESENT. In: Eisenbarth, T., Ozt¨ pp. 85–108. Springer, Cham (2015). https://doi.org/10.1007/9783319163635 6 11. Dobraunig, C., Eichlseder, M., Korak, T., Lomn´e, V., Mendel, F.: Statistical fault attacks on noncebased authenticated encryption schemes. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 369–395. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662538876 14 12. Ghalaty, N.F., Yuce, B., Taha, M., Schaumont, P.: Diﬀerential fault intensity analysis. In: 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 49–58. IEEE (2014) 13. Hajra, S., et al.: DRECON: DPA resistant encryption by construction. In: Pointcheval, David, Vergnaud, Damien (eds.) AFRICACRYPT 2014. LNCS, vol. 8469, pp. 420–439. Springer, Cham (2014). https://doi.org/10.1007/9783319067346 25 14. Jean, J., Moradi, A., Peyrin, T., Sasdrich, P.: Bitsliding: a generic technique for bitserial implementations of SPNbased primitives  applications to AES, PRESENT and SKINNY. Cryptology ePrint Archive, Report 2017/600 (2017) 15. Jean, J., Nikoli´c, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662456088 15 16. Korkikian, R., Pelissier, S., Naccache, D.: Blind fault attack against SPN ciphers. In: 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 94–103. IEEE (2014) 17. Kumar, R., Jovanovic, P., Burleson, W., Polian, I.: Parametric Trojans for faultinjection attacks on cryptographic hardware. In: 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 18–28. IEEE (2014) 18. Li, Y., Sakiyama, K., Gomisawa, S., Fukunaga, T., Takahashi, J., Ohta, K.: Fault sensitivity analysis. In: Mangard, S., Standaert, F.X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 320–334. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642150319 22 19. Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002). https:// doi.org/10.1007/3540457089 3 20. Liu, G., Ghosh, M., Ling, S.: Security analysis of SKINNY under relatedtweakey settings. Technical report, Cryptology ePrint Archive, Report 2016/1108 (2016). http://eprint.iacr.org/2016/1108 21. Patranabis, S., Roy, D.B., Mukhopadhyay, D.: Using tweaks to design fault resistant ciphers. In: 2016 29th International Conference on VLSI Design and 2016 15th International Conference on Embedded Systems (VLSID), pp. 585–586. IEEE (2016) 22. Sadeghi, S., Mohammadi, T., Bagheri, N.: Cryptanalysis of reduced round SKINNY block cipher. Technical report, Cryptology ePrint Archive, Report 2016/1120 (2016)
Diﬀerential Fault Attack on SKINNY Block Cipher
197
23. Saha, D., Chowdhury, D.R.: Diagonal fault analysis of Grstl in dedicated MAC mode. In: IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2015, Washington, DC, USA, 5–7 May 2015, pp. 100–105 (2015) 24. Saha, D., Mukhopadhyay, D., Chowdhury, D.R.: A diagonal fault attack on the advanced encryption standard. IACR Cryptology ePrint Archive 2009(581) (2009) 25. Song, L., Hu, L.: Diﬀerential fault attack on the PRINCE block cipher. In: Avoine, G., Kara, O. (eds.) LightSec 2013. LNCS, vol. 8162, pp. 43–54. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642403927 4 26. Takahashi, J., Fukunaga, T.: Improved diﬀerential fault analysis on CLEFIA. In: 5th Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2008, pp. 25–34. IEEE (2008) 27. Tolba, M., Abdelkhalek, A., Youssef, A.M.: Impossible diﬀerential cryptanalysis of SKINNY. Technical report, Cryptology ePrint Archive, Report 2016/1115 (2016). http://eprint.iacr.org/2016/1115 28. Tunstall, M., Mukhopadhyay, D., Ali, S.: Diﬀerential fault analysis of the advanced encryption standard using a single fault. In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 224–233. Springer, Heidelberg (2011). https://doi.org/ 10.1007/9783642210402 15 29. Tupsamudre, H., Bisht, S., Mukhopadhyay, D.: Diﬀerential fault analysis on the families of Simon and speck ciphers. In: 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 40–48. IEEE (2014)
dMUL: Optimizing and Implementing a Multidimensional Scalar Multiplication Algorithm over Elliptic Curves Huseyin Hisil1 , Aaron Hutchinson2 , and Koray Karabina2(B) 2
1 ˙ Yasar University, Izmir, Turkey Florida Atlantic University, Boca Raton, USA
[email protected]
Abstract. This paper aims to answer whether dMUL, the multidimensional scalar point multiplication algorithm, can be implemented eﬃciently. dMUL is known to access costly matrix operations and requires memory access frequently. In the ﬁrst part of the paper, we derive several theoretical results on the structure and the construction of the addition chains in dMUL. These results are interesting on their own right. In the second part of the paper, we exploit our theoretical results, and propose an optimized variant of dMUL. Our implementation results show that dMUL can be very practical for small d, and it remains as an interesting algorithm to further explore for parallel implementation and cryptographic applications. Keywords: dMUL · Elliptic curve scalar multiplication Diﬀerential addition chain · Isochronous implementation
1
Introduction
Let G be an abelian group of order G = N . A single point multiplication algorithm in G takes as input a ∈ [1, N ) and P ∈ G and outputs the point aP . More generally, a ddimensional point multiplication algorithm in G takes a1 , . . . , ad ∈ [1, N ) and points P1 , . . . , Pd ∈ G and produces the point a1 P1 + · · · + ad Pd . Secure and eﬃcient point multiplication algorithms are critical in cryptography and have received much attention over the years. Some of these algorithms are specialized for certain tasks or only work in speciﬁc settings, such as when the Pi are ﬁxed versus variable, or when the scalars ai are public versus secret. See [1,3–5,7,8,10] for examples of such algorithms. In some cases, a linear combination a1 P1 +· · ·+ad Pd must be computed for ai chosen uniformly at random. In particular, the dMUL algorithm in [4,7] is a multidimensional point multiplication algorithm which oﬀers uniform operations in its execution, diﬀerential additions with each point addition, and has potential for an isochronous implementation. The dMUL paper [7] notes that ﬁxing the dimension parameter d c Springer Nature Switzerland AG 2018 A. Chattopadhyay et al. (Eds.): SPACE 2018, LNCS 11348, pp. 198–217, 2018. https://doi.org/10.1007/9783030050726_12
dMUL
199
as 1 yields the Montgomery chain [9], while taking d = 2 yields the chain given by Bernstein in [2]. dMUL takes advantage of state matrices in its underlying structure. Deﬁnition 1. A (d + 1) × d state matrix A has nonnegative entries and satisﬁes: 1. each row Ai has (i − 1) odd entries. 2. for 1 ≤ i ≤ d, we have Ai+1 − Ai ∈ {ej , −ej } for some 1 ≤ j ≤ d, where ej is the row matrix having 1 in the jth column and 0’s elsewhere. We deﬁne the magnitude of A to be A = max{Aij  : 1 ≤ i ≤ d+1, 1 ≤ j ≤ d}. At a high level, on input a1 , . . . , ad ∈ Z and P1 , . . . , Pd ∈ G the dMUL algorithm, as described in [7], consists of three stages: (1) construct a (d + 1) × d state matrix A having a row consisting of the scalars a1 , . . . , ad , (2) construct a sequence {A(i) }i=1 of state matrices such that A() = A, the entries of A(1) are in the set {0, 1, −1}, and every row of A(i+1) is the sum of exactly two (possibly not distinct) rows from A(i) , (3) Compute the linear combinations Qi of the P1 , . . . , Pd corresponding to the rows of A(1) , and then use the row relations among the consecutive A(j) to add pairs of Qi ’s together until reaching the ﬁnal matrix A() . Suppose that one wishes to compute a random linear combination of P1 , . . . , Pd such that the coeﬃcients of the combination are scalars having bits or less. One approach is to choose d many scalars ai from the interval [0, 2 ) and run the dMUL algorithm with input a1 , . . . , ad and P1 , . . . , Pd . This method has some concerning drawbacks: – A large amount of integer matrix computation is necessary in item (2) above before any point additions can be performed. – A large amount of storage space is necessary to store the matrices A(i) , which each consist of d(d + 1) many i bit integers. In an eﬀort to avoid these drawbacks, one might instead consider a variant of dMUL which starts with a state matrix A(1) having entries in {0, 1, −1} and builds a random sequence {A(i) }i=1 as in (2) above. In this setting, point additions can begin immediately alongside the generation of the matrices, which also reduces the storage space on the matrix sequence to that of just a single (d+1)×d state matrix. This new procedure still comes with some concerns, such as how to build such a random sequence of state matrices, and how to ensure that the ﬁnal output point isn’t biased in any way. This idea is the primary focus of this paper. Contributions: Our contributions can be summarized as follows:
200
H. Hisil et al.
– We present a variant of dMUL, the multidimensional diﬀerential addition chain algorithm described in [7]. The algorithm takes as input points P1 , . . . , Pd , a (d · )bit string r, a permutation σ ∈ Sd , and a binary vector v of length d, and it produces a point P from the set S = {a1 P1 + · · · + ad Pd : 0 ≤ ai < 2 }. – The algorithm is performed as dMUL, except that the scalar coeﬃcients are not chosen in advance, and no matrix arithmetic is required prior to point addition; instead, the row additions are chosen through r. Moreover, the scalars ai for the output point P = a1 P1 + · · · + ad Pd can be determined through matrix arithmetic either before or after the point P is computed. In particular, our algorithm maintains the uniform pattern of 1 doubling, d additions, 1 doubling, d additions, . . . that dMUL features. – We prove that there is a uniform correspondence between the input parameters (r, σ, v), and the scalars a1 , . . . , ad determining P . More precisely, if r, σ, and v are chosen uniformly at random, then the point P will be uniformly distributed in S. – We make some observations to modify and speed up the original algorithm, resulting in a constanttime friendly description. In particular, our algorithm can still beneﬁt from parallelization, and we reduce the storage requirements for the scalar computation algorithm from O(d2 ) (the cost of storing a state matrix) to O(1) (a single scalar). – We report on results from implementations of our algorithm. Initial constanttime implementations of the algorithm gave run times nearing 500 000 cycle counts; with the modiﬁcations mentioned in the previous bullet this was reduced to 97 300 for d = 2, 109 800 for d = 3, and 123 300 for d = 4 with constanttime operations and diﬀerential additions used in each case (combined cost of computing P and (a1 , . . . , ad ) in each case). The rest of this paper is organized as follows. Section 2 provides new theoretical results and builds the foundation of the scalar multiplication algorithm. Section 3 details the scalar multiplication algorithm which produces a random linear combination of points. Section 4 shows implementation oriented optimization alternatives on the proposed algorithms. Section 5 reports on the results of these optimizations in an implementation. We derive our conclusions in Sect. 6.
2
Theoretical Results
This section is devoted to developing theoretical results that culminate in our scalar multiplication algorithm. The outline of this section is as follows. Let A and B be state matrices such that every row in A is the sum of two rows from B. 1. We prove Theorem 1: for a ﬁxed A, the matrix B is unique.
dMUL
201
2. We prove Lemma 6: for a ﬁxed B, there are exactly 2d distinct matrices A. 3. In proving Lemma 6 we gain insight on how to construct all such matrices A from a given B: the matrices A are in onetoone correspondence with binary strings r of length d. We formalize the construction of A from a given B and binary string r. 4. In Theorem 4 we show that iterating the construction of A from B with a bitstring r chosen randomly at each iteration will produce a uniformly random integer row vector a1 · · · ad with 0 ≤ ai < 2 for 0 ≤ i ≤ d. This results in a version of dMUL which produces a random output with negligible precomputation. Throughout this section, row and column indices of all matrices start at 1. 2.1
Uniqueness
In this section, we aim to show that the output of Algorithm 2 in [7] is unique in the following sense: if A and B are (d + 1) × d state matrices (deﬁned below) such that every row in A is the sum of two rows from B, then B is the output of Algorithm 2 in [7] when ran with input A. The proof will be by induction on d, but we ﬁrst prove several lemmas and corollaries which are required in the main proof. Proofs of some of these lemmas and corollaries, when they are rather mechanical, are omitted due to space restrictions. The results of this section will be used in Sect. 3 to attain an algorithm for generating a uniformly random linear combination of group elements. Throughout this paper, we will be working with the notion of a state matrix as in Deﬁnition 1. This is the same deﬁnition used in [7], but we restrict to state matrices with nonnegative entries. A simple consequence of Deﬁnition 1 is that each index j in property (2) above is obtained from a unique i. Lemma 1. Let A be a state matrix. If Am+1 −Am = ci ei , and An+1 −An = cj ej with m = n, then i = j. As a consequence, each column of A has the form T 2x · · · 2x 2x + (−1)k · · · 2x + (−1)k for some k and some x, where the index at which 2x changes to 2x + (−1)k is diﬀerent for each column. Remark 1. Since every column of a state matrix A has the form stated in Lemma 1, A can be computed by only looking at the rows A1 and Ad+1 . Deﬁnition 2. Let A be a (d + 1) × d state matrix. The column sequence for A is the function σA : {2, . . . , d + 1} → {1, . . . , d}, where σA (i) is the position in which the row matrix Ai − Ai−1 is nonzero. When A is clear from the context, we will sometimes write σ instead of σA . By Lemma 1, σA is a bijection. Deﬁnition 3. Let A be a (d + 1) × d state matrix. The diﬀerence vector for A is the vector cA := Ad+1 − A1 . When A is clear from the context, we will sometimes write c instead of cA .
202
H. Hisil et al.
With these deﬁnitions, we have Ak − Ak−1 = cA σA (k) eσA (k) for 2 ≤ k ≤ d + 1. Next, we formulate results on the number of odd entries in the sum and diﬀerence of two rows from a state matrix. Lemma 2. If B is a (d + 1) × d state matrix, then Bm + Bn has m − n odd entries. The following simple corollary will be used extensively throughout the rest of the paper. Corollary 1. Let A and B be state matrices such that every row in A is the sum of two rows from B. Then for each k, there is some m such that Ak = Bm + Bm+k−1 . Proof. Write Ak = Bm + Bn , with m ≤ n. Property (2) of state matrices says that Ak has k − 1 odds. By Lemma 2, Bm + Bn has n − m odds. So k − 1 = n − m and n = m + k − 1. Corollary 2. Let A and B be state matrices such that every row in A is the sum of two rows from B. Let h be the number of odds in the integer row matrix 1 2 A1 . Then 2Bh+1 = A1 . Proof. By Corollary 1 we have A1 = 2Bm for some index m. By assumption, Bm has h odd entries. By the deﬁnition of a state matrix, Bm has m − 1 odd entries. So m = h + 1 and A1 = 2Bh+1 . Lemma 3. If B is a (d + 1) × d state matrix, then Bm − Bn has (1) m − n odd entries, all of which are either 1 or −1, (2) d − m − n even entries, all of which are 0. We now show that we can write cB as a function of cA when every row in A is the sum of two rows from B. Lemma 4. Let A and B be statematrices such that every row in A is the sum of two rows from B. Write A1 = 2α1 · · · 2αd . Then A if αj is even cj cB = j −cA if αj is odd j We can also relate σA and σB . An explicit formula for σA in terms of σB can be found, but for our purposes only knowing σA (2) suﬃces. The following lemma will be one of the keys to proving Theorem 1 to follow. Lemma 5. Let A and B be state matrices such that every row in A is the sum of two rows from B. Write A1 = 2α1 · · · 2αd and let h be the number of αi which are odd. Then σB (h + 1) if ασA (2) is odd σA (2) = σB (h + 2) if ασA (2) is even
dMUL
203
We now have all the tools required to prove the main result of this subsection. Theorem 1. Let A be any state matrix of size (d + 1) × d. Then there is a unique state matrix B such that every row in A is the sum of two rows from B. In particular, Algorithm 2 in [7] gives a construction for B. Proof. We use induction on d. Let d = 1 and suppose B is such a matrix. Then B has only two rows, one of which is determined uniquely by Corollary 2. By Corollary 1, we have A2 = B1 +B2 ; two of the three row matrices in this equation are determined already, and so the third is determined as well. Assume the theorem holds for matrices of size d × (d − 1). Let A be a (d + 1) × d state matrix and suppose B and C satisfy the condition stated in the theorem. Write A1 = 2α1 · · · 2αd and let h be the number of αi which are odd. Throughout the rest of the proof, for any matrix X we will let i [X]j denote the matrix obtained by deleting the ith row and jth column of X. Let A = 1 [A]σA (2) . That A is a state matrix follows from A being a state matrix and that the only odd in A2 occurs in column σA (2). 1. Suppose ασA (2) is odd. By Lemma 5, we have σB (h + 1) = σC (h + 1) = σA (2). Let B = h+1 [B]σB (h+1) and C = h+1 [C]σC (h+1) . We’ll now show that B is a state matrix. For 2 ≤ i ≤ h, we have σ (h+1)
Bi − Bi−1 = [B]i B
σ (h+1)
B − [B]i−1
σB (h+1) = [Bi − Bi−1 ]σB (h+1) = [cB σB (i) eσB (i) ]
which is still a unit basis row matrix since σB (h + 1) = σB (i). Similarly, for h + 2 ≤ i ≤ d + 1 we have
σ
(h+1)
B Bi − Bi−1 = [B]i+1
σ
− [B]i B
(h+1)
= [Bi+1 − Bi ]
σB (h+1)
B σ (h+1) e ] B B (i+1) σB (i+1)
= [cσ
(the row index increases by one to account for the deleted row h + 1) which is still a unit basis row matrix since σB (h + 1) = σB (i + 1). Looking at i = h + 1, we have σ (h+1)
B Bh+1 − Bh = [B]h+2
σ (h+1)
− [B]hB
= [Bh+2 ]σB (h+1) − [Bh ]σB (h+1) B σB (h+1) = [Bh + cB − [Bh ]σB (h+1) σB (h+2) eσB (h+2) + cσB (h+1) eσB (h+1) ] σB (h+1) σB (h+1) = [cB + [cB σB (h+2) eσB (h+2) ] σB (h+1) eσB (h+1) ] σB (h+1) = [cB + 0. σB (h+2) eσB (h+2) ]
So B satisﬁes the second requirement of being a state matrix. For the ﬁrst requirement involving parities, we note that Bi,σB (h+1) = ασB (h+1) +cA σB (h+1) (which is even) for 1 ≤ i ≤ h + 1 and Bi,σB (h+1) = ασB (h+1) (which is odd) σ (h+1) for h + 2 ≤ i ≤ d + 1. So for 1 ≤ i ≤ h + 1, [B]i B is obtained from Bi by deleting an even entry, and so the number of odds isn’t aﬀected. Similarly, σ (h+1) is obtained from Bi+1 by deleting an odd entry, for h + 1 ≤ i ≤ d, [B]i B and so has i − 1 odds. This shows B is a d × (d − 1) state matrix.
204
H. Hisil et al.
We now show that every row in A is the sum of two rows from B . We have A Ai = [A]i+1
σ (2)
σ (h+1)
= [Ai+1 ]σA (2) = [Bj + Bj+i ]σB (h+1) = [B]j B
σ (h+1)
B + [B]j+i
for some index j. If neither j or j + i are h + 1, then both the above row matrices correspond to rows of B . If one is h + 1, we just see that σ (h+1)
B [B]h+1
σB (h+1) = [Bh + cB = [Bh ]σB (h+1) = Bh . σB (h+1) eσB (h+1) ]
Thus B is a d × (d − 1) state matrix such that every row in A is the sum of two rows from B . An entirely identical argument shows C is a d × (d − 1) state matrix such that every row from A is the sum of two rows from C . Our inductive hypothesis gives that B = C . We already have Bh+1 = 12 A1 = Ch+1 from Corollary 2. Since Bh+1,σB (h+1) = Ch+1,σC (h+1) and σB (h + 1) = σC (h + 1), we have that column σB (h + 1) is identical in both matrices by Lemma 1. Thus B = C. 2. Suppose ασA (2) is even. The proof is mostly identical to case 1. We get σB (h+ 2) = σC (h + 2) = σA (2) by Lemma 5 and take B = h+2 [B]σB (h+2) and C = h+2 [C]σC (h+2) . To wrap up this section, we prove one additional corollary which will be needed later on. Corollary 3. Let A and B be state matrices such that every row in A is the sum of two rows from B. If Ak = Bm + Bm+k−1 and also Ak = Bn + Bn+k−1 , then m = n. 2.2
Generating Randomness
The task of generating random group elements has many applications in cryptography, most notably in the ﬁrst round of the DiﬃeHellman key agreement protocol. We will now make use of the results in Subsect. 2.1 to tackle the problem of choosing and computing an element from the set {a1 P1 +· · ·+ad Pd : 0 ≤ ai < 2 } uniformly at random for a ﬁxed set of points Pi in an abelian group G and for a ﬁxed parameter . We of course would like to be as eﬃcient and uniform with our intermediate computations as possible. Many solutions to this problem exist already. One such solution is to choose ai ∈ [0, 2 ) uniformly at random for 1 ≤ i ≤ d, and then run the dMUL algorithm of [7] with the input (a1 , . . . , ad ). This method has the advantage of being uniform with all group operations (see Remark 5.1 in [7]), but comes with the overhead of ﬁrst computing a sequence {A(i) }i=1 of (d+1)×d matrices before any group addition is done. Once the sequence has been computed the remaining computations within G are relatively eﬃcient, requiring point doublings and · d point additions. We propose an alternative solution to the problem by considering a “reversed” version of dMUL which bypasses the computation of this sequence of
dMUL
205
matrices. Instead of choosing d many ai ∈ [0, 2 ), we choose a single r ∈ [0, 2d ) uniformly at random, which will be used to construct a unique sequence {A(i) }i=1 which we will utilize in the same way as above to perform the group computations. Taking all such sequences {A(i) }i=1 corresponding to every r ∈ [0, 2d ), the distribution of all integer dtuples corresponding to all rows in the ﬁnal matrices () A() are not uniform; however by only considering the ﬁnal rows Ad+1 we ﬁnd an output which is uniform over all odd integer dtuples, which we state as a main result in Theorem 3. By subtracting a binary vector from the output, we ﬁnd a uniformly random d tuple. In this subsection, we deﬁne the tools used to explore the problem and prove many results, culminating in Theorem 4 which gives a method for producing uniformly random output. These results will be used in Sect. 3 to give an algorithm for computing a uniformly random linear combination of group elements. We now ﬁnd interest in sequences of state matrices having special properties, as described in the following deﬁnition. Deﬁnition 4. A state matrix chain is a sequence A(i) i=1 of state matrices A(i) with d columns such that 1. each row of A(i+1) is the sum of two rows from A(i) for 1 ≤ i < , 2. {A(i) }i=1 is a strictly increasing sequence, 3. A(1)  = 1. We say is the length of the chain A(i) i=1 . The sequence of matrices produced by Algorithm 3 in [7] is a state matrix chain. Note that a sequence A(i) i=1 satisfying (1) and (3) may be “trivially extended” to have an arbitrarily greater number of matrices by deﬁning (1) A i≤n (i) B = A(i−n) i > n which is a sequence containing A(i) i=1 and still satisfying (1) and (3) of the above deﬁnition. We therefore attain some degree of uniqueness in excluding such trivial extensions from the current discussion by requiring (2). Note that by Theorem 1, a state matrix chain A(i) i=1 is uniquely determined by A() . Deﬁnition 5. An augmented state matrix chain is a pair A(i) i=1 , h , where A(i) i=1 is a state matrix chain with matrices having d columns and 1 ≤ h ≤ d + 1. h is called the output row for the augmented chain. Let SMCd denote the set of all augmented state matrix chains (of varying length) with matrices having d columns. We deﬁne a function output : SMCd −−−−−−−−→ Z1×d
() A(i) , h −→ Ah . i=1
206
H. Hisil et al.
The function output (as with any function) naturally gives equivalence classes on its domain deﬁned by the preimage of elements in the codomain; speciﬁcally, say augmented chains (C, h) and (C , h ) are equivalent if and only if output(C, h) = output(C , h ). Since output(C, h) = Ah for some state matrix A, we have that h − 1 is the number of odd entries in the row matrix Ah ; likewise, h − 1 is the number of odd entries in the row matrix Ah , and since Ah = Ah we have h = h . That is, the output row is constant over all augmented state matrix chains in the equivalence class [(C, h)]. The length of the chains in [(C, h)] is, in general, not constant. Theorem 2. For s ∈ Z1×d having h odd entries, we have output−1 (s) = 2d (d − h)!h! That is, there are 2d (d − h)!h! many state matrix chains which give s as an output. Proof. By Theorem 1 the number of chains giving s as an output is equal to the number of state matrices containing s as a row. We count all such matrices. Row h + 1 must be s. For rows 1 through h, an odd entry must be selected to change to an even entry by either adding or subtracting 1, giving a total of h 2i possibilities. Similarly, in choosing rows h + 2 through d + 1 an even i=1 entry mustbe changed to an odd entry by either adding or subtracting 1, giving d−h a total of i=1 2i possibilities. All together, we have
h
i=1
d−h
2i · 2i = 2d (d − h)!h! i=1
many possible matrices. Note that for a ﬁxed s the number of chains producing s as an output is independent of the bit size of the entries of s. Lemma 6. Let B be a (d+1)×d state matrix. Then there are exactly 2d pairwise distinct state matrices A such that every row in A is the sum of two rows from B. Proof. Fix 0 ≤ h ≤ d and consider all matrices A such that A1 = 2Bh+1 (every A has such a unique h by Corollary 2). By Corollary 3, for every k there are unique xk and yk such that Ak = Bxk + Byk with xk ≤ yk . This deﬁnes a sequence of pairs ak = (xk , yk ) such that a1 = (h + 1, h + 1) and ad+1 = (1, d + 1). By Corollary 3 and Algorithm 2 in [7], we have either ak+1 = (xk − 1, yk ) or ak+1 = (xk , yk + 1) for each k, and either choice for each k deﬁnes a valid and unique state matrix satisfying the conditions stated in the lemma. Since the xk ’s must decrease to 1, we have h possible indices k to choose where to place the −1’s in the ﬁrst coordinates of ak+1 , and so hd sequences are possible. Summing d over all h, we have h=0 hd = 2d total matrices.
dMUL
207
The above proof gives insight into the method used in the algorithms to come. There is a onetoone correspondence between the integers in the interval [0, 2d − 1] and the possible matrices A stated in the theorem. The number of 1’s in the binary expansion of a chosen integer will determine h, and the placement of the 1’s determines the positions to place the 1’s in the sequence ak deﬁned in the proof. In particular, choosing an integer in the interval [0, 2d − 1] uniformly at random corresponds to choosing a matrix A uniformly at random out of all matrices satisfying the conditions in Lemma 6, and deﬁnes how to construct the chosen matrix A. We make this formal below. Deﬁnition 6. Let A and B be (d + 1) × d state matrices such that every row d+1 in A is the sum of two rows from B. The addition sequence {ak }k=1 for A corresponding to B is deﬁned by ak = (xk , yk ), where xk and yk are the unique row indices such that Ak = Bxk + Byk . Remark 2. Uniqueness follows from Corollary 3. Deﬁnition 7. Let B be a (d + 1) × d state matrix and r a binary string of length d. Let h be the number of 1’s in r. Deﬁne a recursive sequence ak = (xk , yk ) of ordered pairs by x1 = y1 = h + 1 and (xk−1 , yk−1 + 1) if rk−1 = 0 ak = (xk−1 − 1, yk−1 ) if rk−1 = 1 for 2 ≤ k ≤ d + 1. We deﬁne the extension matrix of B corresponding to r as the (d + 1) × d state matrix A having the addition sequence ak with respect to the matrix B. By choosing many binary strings of length d, we may iterate Deﬁnition 7 to produce a sequence of matrices. Deﬁnition 8. Let B be a (d + 1) × d state matrix and r a binary string of length · d. Let r1 , . . . , r be the partition of r into blocks of length d, with ri being the sequence whose terms are bits (i − 1) · d + 1 through i · d of r. We deﬁne the extension sequence with base B corresponding to r as the sequence of + 1 many +1 (d + 1) × d state matrices A(i) i=1 deﬁned recursively as A(1) = B and A(i+1) is the extension matrix of A(i) corresponding to ri . By the deﬁnition of an extension matrix, every row in A(i) is the sum of two rows from A(i−1) for each i. Note however that not all extension sequences are state matrix chains since B = 1 is not required, and even if this condition were satisﬁed many sequences would have B repeated many times (such as when r is the zero string) and so A(i)  is not strictly increasing in such cases. Corollary 4. Fix a (d + 1) × d state matrix B. Every sequence of (d + 1) × d +1 state matrices A(i) i=1 satisfying
208
H. Hisil et al.
1. A(1) = B, 2. For 1 < i ≤ + 1, every row in A(i) is the sum of two rows from A(i−1) is an extension sequence with base B corresponding to some binary sequence r. Proof. For each i, there is an addition sequence for A(i) corresponding to A(i−1) . Concatenating these sequences yields the sequence r. Since there are 2d binary strings of length d, there are 2d extension sequences of a ﬁxed matrix B. We now arrive at the primary result of this section. Theorem 3. Let B = {B ∈ Z(d+1)×d : B = 1, B a state matrix}. Let +1 +1 A(i) : A(i) is an extension of some B ∈ B S= i=1
i=1
+1 (+1) Then the map output A(i) i=1 = Ad+1 deﬁnes a 2d d!to1 correspondence from S to the set of row matrices of length d consisting of positive odd bit or less integers. d Proof. Let s be such a row matrix. By Theorem 2,n there are 2 d! distinct state matrix chains which give s as an output. Let A(i) i=1 be one such a state matrix chain. Then Theorem 4.3 in [7] and Theorem 1 above give n ≤ + 1, and since A(1)  = 1 the chain may be uniquely extended into a sequence in S while still having output s by deﬁning (i−−1+n) A if + 1 − n < i ≤ + 1 B (i) = if 1 ≤ i ≤ + 1 − n A(1)
This essentially says to repeat matrix A(1) suﬃciently many times to get a sequence of length + 1. This produces a valid extension since it corresponds to choosing the addition sequence on A(1) corresponding to the zero bitstring (in other words, doubling the ﬁrst row of all 0’s produces the same matrix since n A(1)  = 1). This is possible for each chain A(i) i=1 , and so each ﬁxed s yields 2d d! many distinct extension sequences in S. There are 2(−1)d such row matrices s, and each gives 2d d! extensions in S (diﬀerent choices of s give disjoint sets of extensions since the last row in the last matrix of each extension is s) for a total of 2d d! extensions. Since there are d! state matrices B satisfying B = 1 and 2d extensions for each B, this is exactly the size of S. The implication of the above theorem is that choosing both a matrix B satisfying B = 1 and an integer in [0, 2d − 1] uniformly at random deﬁnes a unique extension sequence of B, which in turn yields a row matrix s chosen uniformly at random from the set of row matrices consisting of bit or less odd entries, which is given by the last row in the last matrix of the extension sequence. An arbitrary bit row matrix may be obtained by choosing a binary vector uniformly at random and subtracting it from the output row s.
dMUL
209
Theorem 4. Choose the following parameters uniformly at random from their respective sets: 1. r a binary string of length d, 2. B a (d + 1) × d state matrix satisfying B = 1, 3. v a binary row matrix of length d. +1 Let A(i) i=1 be the extension sequence with base B corresponding to r, and (+1)
deﬁne s = Ad+1 . Then s − v is an element chosen uniformly at random from the set of row matrices of length d having entries in [0, 2 − 1].
Proof. By Theorem 3, s is chosen uniformly at random from the set of row matrices of length d consisting of odd bit or less integers. For each s, deﬁne Ts = {s − v : v is a binary vector}. Then {Ts : s has odd bit or less integers} is a partition of the set of row matrices of length d having entries in [0, 2 − 1]. Choosing r and B together specify a Ts , and v further speciﬁes an arbitrary vector. It’s worth noting that Theorem 3 (and so also Theorem 4) will not hold true (+1) when instead choosing h = i for i = d + 1 (i.e., s = Ai for i = d + 1 in the above). If s contains an entry which is 0 or 2 , many of the state matrices containing s as a row counted in Theorem 2 will necessarily contain the entry −1 (which we don’t allow) or 2 + 1, and so the conditions of Theorem 4.3 in [7] will not be satisﬁed. In turn, producing such s containing 2 + 1 would take one additional iteration of Algorithm 3 in [7] and so yields an extension sequence of length + 2. This results in sequences of varying lengths, which we wish to avoid.
3
Algorithms
Given Theorem 4, our scalar multiplication algorithm is now simple. Let P = P1 . . . Pd be a row matrix of points and choose r, B, and v as in Theorem 4. B can be constructed by applying a random permutation to the columns of a lower triangular matrix whose lower triangle consists of all 1’s. We then construct the extension sequence with base B corresponding to the bitstring r. The scalars in the linear combination of the output are given by subtracting v from the last row of the last matrix. These rules are reﬂected in Algorithm 1. We perform the scalar multiplication by using the same addition and doubling rules speciﬁed by the binary string r on the point column matrix B · P T . Upon arriving at the ﬁnal point column matrix, we subtract v · P T from the last entry and return this point as an output. We remark that this process only yields a point; the coeﬃcients of the resulting linear combination are computed through Theorem 4 using Algorithm 1. These rules for point multiplication are reﬂected in Algorithm 2. The scalars in Algorithm 1 and the points in Algorithm 2 can be merged in order to scan r only a single time. Alternatively, the two algorithms can
210
H. Hisil et al.
Algorithm 1. dMUL scalars
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
Input: bitsize parameter ; bitstring r of length d; τ a bijection on {0, 1, . . . , d − 1}; v a bitstring of length d · · · a a Output: a row matrix 1 d B[0] ← 0 · · · 0 for i = 0 to d − 1 do B[i + 1] ← B[i] + e[τ [i]] // Initial state matrix end for i = 0 to − 1 do h, x, y ← r[i · d] + · · · + r[(i + 1)d − 1] A[0] ← 2B[h] for j = 0 to d − 1 do if r[i · d + j] = 1 then x←x−1 else y ←y+1 end A[j + 1] ← B[x] + B[y] end B←A end a ← B[d] − v return a // Scalars
be computed independent of each other. We prefer the latter case because the column vectors of B in Algorithm 1 constitutes a redundant representation. We eliminate this redundancy in Sect. 4. We take a moment to point out some special cases. As in the original dMUL algorithm of [7], when taking d = 1 here we get a scalar multiplication algorithm reminiscent of the Montgomery chain [9]. To compute aP the Montgomery chain tracks two variables Q1 and Q2 ; each iteration adds these variables together and doubles one of them to get the next pair Q1 , Q2 . If the point to double is chosen uniformly at random in the Montgomery chain, one gets an algorithm identical to Algorithm 2. Similarly, when d = 2 Algorithm 2 resembles a variant of the “new binary chain” of [2]. To compute a1 P1 + a2 P2 this chain tracks a triple of points (Q1 , Q2 , Q3 ) which are linear combinations of P1 and P2 for which the scalars of each combination correspond to pairs from the set S = {(s, t), (s + 1, t), (s, t + 1), (s + 1, t + 1)} for some (s, t). The missing pair from the set always contains exactly one odd entry. Suppose that Q1 corresponds to the (even,even) tuple, Q2 corresponds to the (odd,odd) tuple, and Q3 is the mixed parity tuple. Then the triple (Q1 , Q2 , Q3 ) for the next iteration satisﬁes Q1 = 2Qi for some i, Q2 = Q1 + Q2 , and either Q3 = Q1 + Q3 or Q3 = Q2 + Q3 such that the resulting scalars from each linear combination are still of the form given by S for a new pair (s , y ). This leaves 4 = 22 options for (Q1 , Q2 , Q3 ) from a ﬁxed triple
dMUL
211
(Q1 , Q2 , Q3 ), and so choosing an option at random is equivalent to Algorithm 2 when d = 3. See [2] for more details on the new binary chain.
Algorithm 2. Simpliﬁed dMUL
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Input: bitsize parameter ; P = P1 · · · Pd points on curve E; bitstring r of length d; τ a bijection on {0, 1, . . . , d − 1}; v a bitstring of length d Output: Q satisfying Q = a1 P [1] + · · · + ad P [d] for 0 ≤ ai < 2 chosen uniformly at random; the row matrix a1 · · · ad Q[0] ← id(E) for i = 0 to d − 1 do Q[i + 1] ← Q[i] + P [τ [i]] // Initial state matrix end for i = 0 to − 1 do h, x, y ← r[i · d] + · · · + r[(i + 1)d − 1] R[0] ← 2Q[h] for j = 0 to d do if r[i · d + j] = 1 then x←x−1 else y ←y+1 end R[j + 1] ← Q[x] + Q[y] end Q←R end T ← Q[d] − v[0] · P [0] − · · · − v[d − 1] · P [d − 1] a ← dMULScalars(,r, τ , v) return a, T // Scalars and output point
The point addition R[j + 1] ← Q[x] + Q[y] at line 14 of Algorithm 2 can be implemented using a diﬀerential addition Q[x] ⊕ Q[y] if Q[x] Q[y] is known in advance. Algorithm 3 computes a diﬀerence vector Δ which satisﬁes: Q[x] Q[y] = Δ[0] · P [0] ⊕ . . . ⊕ Δ[d − 1] · P [d − 1]. Using Δ it’s possible to arrange a lookup function for diﬀerence points TBL from which the diﬀerence point is extracted TBL(Δ). We provide explicit construction of TBL for d = 2, 3, 4 in Sect. 4. Algorithms 1, 2, and 3 use an implementation oriented notation where arrays are used in the place of vectors and the index of an array always starts from zero.
212
H. Hisil et al.
Algorithm 3. Simpliﬁed dMUL with diﬀerential additions
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
4
Input: bitsize parameter ; P = P1 · · · Pd points on curve E; bitstring r of length d; τ a bijection on {0, 1, . . . , d − 1}; v a bitstring of length d; TBL a lookup function for diﬀerence points Output: Q satisfying Q = a1 P [1] + · · · + ad P [d] for 0 ≤ ai < 2 chosen uniformly at random; the row matrix a1 · · · ad Q[0] ← id(E) for i = 0 to d − 1 do Q[i + 1] ← Q[i] + P [τ [i]] // Initial state matrix end κcol ← τ κrow ← [1 : i ∈ [0, . . . , d − 1]] for i = 0 to − 1 do h, x, y ← r[i · d] + · · · + r[(i + 1)d − 1] κrow , κcol , Δ ← [0 : i ∈ [0, . . . , d − 1]] R[0] ← 2Q[h] for j = 0 to d do if r[i · d + j] = 1 then x←x−1 κrow [κcol [x]] ← −κrow [κcol [x]] κcol [j] ← κcol [x] else κrow [κcol [y]] ← κrow [κcol [y]] κcol [j] ← κcol [y] y ←y+1 end Δ[κcol [j]] ← κrow [κcol [j]] R[j + 1] ← Q[x] ⊕ Q[y] // Q[x] Q[y] = TBL(Δ) end κrow ← κrow κcol ← κcol Q←R end T ← Q[d] − v[0] · P [0] − · · · − v[d − 1] · P [d − 1] a ← dMULScalars(,r, τ , v) return a, T // Scalars and output point
Optimizations
Let A be the extension matrix of B corresponding to the bitstring r. Our ﬁrst optimization involves simplifying the computation of A. We notice that the ith column of A is a function of only the ith column of B and the bitstring r and is independent of the other columns of B. This means that when computing +1 an extension sequence A(i) i=1 , the columns of A(+1) can be computed one at a time, reducing storage costs to only a single column of a state matrix.
dMUL
213
Furthermore, the columns of state matrices have a very strict form. Speciﬁcally, a column of a state matrix A looks like T 2x · · · 2x 2x + (−1)k · · · 2x + (−1)k , for some integer k. The representation of this column can take the much simpler form {2x, (−1)k , i}, where i is the highest index for which the entry of the column is 2x. This simple representation reduces storage costs further to only storing one large integer 2x, one bit sign information (−1)k , and one small integer i. In this direction, Algorithm 4 provides an optimized version of Algorithm 1. (+1) We point out that by taking k = d+1 in Corollary 1 we always have Ad+1 = ()
()
A1 + Ad+1 , and by the uniqueness in Corollary 3 this is always the case for any extension sequence. One might consider skipping the computation of A(+1) and () () (+1) simply outputting A1 + Ad+1 instead of Ad+1 (and likewise with the point additions in Algorithm 2). In our implementation with diﬀerential additions we () () found it diﬃcult to retrieve the point corresponding to the diﬀerence A1 +Ad+1 in a secure fashion. This approach is viable in an implementation which doesn’t take advantage of diﬀerential additions. Furthermore, this means the ﬁnal d bits of the bitstring r are unused. These bits may be used in place of the binary vector v if desired. Algorithm 4. dMUL scalars (Optimized)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
Input: bitstring r of length d, τ a bijection on {0, 1, . . . , d − 1} Output: Array of scalars k corresponding to r and τ for i = 0 to d − 1 do k[i] ← 0, δ ← 1, index ← i for j = 0 to d( − 2) by d do h ← r[j] + . . . + r[j + d − 1] z ← BoolToInt(h > index) k[i] ← 2(k[i] + δ) δ ← (1 − 2z) · δ q ← index + 1 − h, a ← 0, index ← −1, q ← Select(q, −q, BoolToInt(q > 0)) + z for t = 0 to d − 1 do a ← a + Xnor(z, r[j + t]) index ← Select(t, index, BoolToInt((a == q) ∧ (index == −1))) end end k[τ [i]] ← 2k[i] + δ − r[( − 1) · d + τ [i] − 1] end return k // Array of scalars
Algorithm 4 uses two auxiliary functions: BoolToInt sends true to 1 and false to 0. The Select function sends the inputs to the ﬁrst input or to the second input if the third input is false or true, respectively.
214
H. Hisil et al.
Algorithm 2 inputs an array of points which is denoted by P for simplicity. Algorithm 2 also inputs the same ordering v and the random bitstring r as Algorithm 4, and outputs k as the d scalars corresponding to v and r. Algorithm 2 also outputs the point T = k[0] · P [0] + · · · + k[d] · P [d]. In Algorithm 2, the if statement (also given below on the left) can be eliminated as given below on the right. This latter notation sacriﬁces readability but it helps in simplifying the implementation. if r[i · d + j] = 1 then x←x−1 else y ←y+1 4.1
x ← x − r[i · d + t] y ← y − r[i · d + t] + 1
Constant Time
Algorithm 2 can be implemented to give a constanttime implementation regardless of whether regular additions or diﬀerential additions are used. For this purpose, both d and are ﬁxed. The following additional modiﬁcations are also mandatory. – A table lookup on P that depends on the secret information τ [i − 1] is performed in Line 3 of Algorithm 2. This lookup is implemented with constanttime scanning method. We note that this scanning does not cause a performance bottleneck for small values of d since it is not a part of the main loop (lines 5–13). – Additional secret dependent table lookups are performed at Line 7 and Line 10 of Algorithm 2. These lookups are also implemented with constanttime scanning method. However, this time, the scanning constitute a performance bottleneck. To minimize the performance penalty, the actual implementation in Sect. 5, further optimizes Algorithm 2 by removing the assignment Q ← R in line 12 and letting the intermediate point array to oscillate between the arrays Q and R. The indexes that can occur for Q and R are given by the sequences [0 · · · (d − i)] and [i · · · d], respectively. These indexes are perfectly suitable for constanttime scanning method since they are linearly sequential. – The table lookups Q[0] at Line 1, Q[i], Q[i−1] at Line 3, and Q[0], Q[d], P [0], . . ., P [d−1], r[d(−1)], . . ., r[d(−1)+d−1] at Line 14 of Algorithm 2 do not depend on the secret information. Therefore, these lines can be implemented in the way they are written. On the other hand, each of r[d( − 1)] · P [i] is equal to either the identity element or P [i]. This intermediate values must be selected in constant item with Select. The Select function processes secret data in Algorithm 1 and therefore Select is implemented to run in constanttime. – Line 15 of Algorithm 1 also requires a secret dependent assignment. The left hand side k[τ [i]] also requires constanttime scanning.
dMUL
4.2
215
Diﬀerential Addition
The number of distinct values of Δ in Algorithm 3 increases exponentially with d. Nevertheless, TBL is manageable for small d. We investigate the ﬁxed cases d = 2, 3, 4, separately, and the explicit table entries for d = 2, 3 (the case d = 4 is omitted due to space restrictions) are as follows: – Case d = 2: The table size is 4. The ﬁrst iteration selects out of the 2 points [P0 , P1 ]; and the second iteration selects out of the 2 points [P0 − P1 , P0 + P1 ] – Case d = 3: The table size is 13. The ﬁrst iteration selects out of the 3 points [P0 , P1 , P2 ]; the second iteration selects out of the 6 points [P1 − P2 , P1 + P2 , P0 − P1 , P0 − P2 , P0 + P2 , P0 + P1 ]; and the third iteration selects out of the 4 points [P0 − P1 − P2 , P0 − P1 + P2 , P0 + P1 − P2 , P0 + P1 + P2 ].
Computing Δ with the help of variables κcol , κrow , κrow , κcol is considerably ineﬃcient. In order to emulate Δ, we derived dedicated boolean functions for each of the cases d = 2, 3, 4. We refer to the implementation for these expressions. Our experience is that simpliﬁcation of computing Δ is open to further investigation. Since the iterations selects through sequential indexes, the lookups can be implemented with constanttime scanning method in a subsequence of TBL. The overhead of constanttime scanning is not a bottleneck for d = 2, 3 but starts becoming one for d > 3.
5
Implementation Results
Sections 2 and 3 provided simpliﬁcations on dMUL by eliminating all of the redundancies and Sect. 4 put dMUL into an optimized format with lowlevel expressions. Our main aim in this section is to show that optimized dMUL can be implemented to give fast implementations. We implemented the optimized dMUL algorithm for d = 2, 3, 4 with point addition method being (i) diﬀerential; (ii) regular (i.e. nondiﬀerential). In all experiments, we used F2p = F(i) where p = 2127 − 1 and i2 = −1. We did not exploit any endomorphism. We used Montgomery diﬀerential addition formulas [9] for (i) and twisted Edwards (a = −1) uniﬁed addition formulas in extended coordinates [6] for (ii). Since dMUL is a generic multidimensional scalar point multiplication algorithm, one can switch to other possibly faster ﬁelds. We used a single core of an i76500U Skylake processor, where the other cores are turnedoﬀ and turboboost disabled. GNUgcc version 5.4.0 with ﬂags m64 O2 fomitframepointer was used to compile the code. The code can be executed on any amd64 or x64 processor since we use the generic 64 × 64 bit integer multiplier. In all of 12 implementations, we used the constanttime method for the scalar generation since the elimination of the branches lead to a slightly faster implementation. Table 1 provides cycle counts for our nonconstant time implementation. As dimension increases, so does the memory access due to lookups from Q and TBL. On the other hand, the number of additions decreases as d increases.
216
H. Hisil et al. Table 1. Nonconstant time implementation of optimized dDmul. Implementation
Scalars Point
Total
Regular, d = 2
9 100
135 900 145 000
Regular, d = 3
12 900
127 600 140 500
Regular, d = 4
10 700
125 200 135 900
Diﬀerential, d = 4 10 700
88 200
98 900
Diﬀerential, d = 3 12 900
84 600
97 500
Diﬀerential, d = 2
86 600
95 700
9 100
Therefore, there is a tradeoﬀ between the number of memory accesses and the number of point additions, depending on d. In case (i), the fastest dimension turns out to be d = 2 for overall computation. Proﬁling the code we see that the number of memory accesses is dominated by the selection of diﬀerence points from TBL for higher dimensions. In case (ii), the fastest dimension turns out to be d = 4 since no lookup occurs from TBL. The variation between the cycle counts in the scalars column of Table 1 is easy to explain. In (i), each scalar is represented by 2 limbs when d = 2; 1 limb when d = 4. In both cases, almost all available bits are used and the adder circuit is utilized. The case d = 2 is slightly faster than d = 4 since less eﬀort is spent on scanning r. The d = 3 is slower because 84bit scalars are represented by 2 limbs and more eﬀort is spent on scanning r. Table 2 provides the cycle counts when all inputdependent computations and inputdependent table lookups are emulated with arithmetic operations. These implementations run in constant time for all inputs. Table 2. Constant time implementation of optimized dDmul. Dimension
Scalars Point
Total
Regular, d = 2
9 100
143 500 152 600
Regular, d = 3
12 900
135 300 148 200
Regular, d = 4
10 700
131 200 141 900
Diﬀerential, d = 4 10 700
112 600 123 300
Diﬀerential, d = 3 12 900
96 900 109 800
Diﬀerential, d = 2
88 200
9 100
97 300
We immediately see that the ranking does not change and switching to the constanttime setting does not constitute a big speed penalty.
dMUL
6
217
Concluding Remarks
We presented several theoretical results on the structure and the construction of the addition chains in dMUL. Using our theoretical results, which are interesting on their own right, we proposed an optimized version of dMUL. Our implementation results show that the optimized dMUL gains some signiﬁcant speed ups. In particular, we were able to reduce the cycle counts of our initial isochronous implementation of the original dMUL algorithm from nearly 500 000 to under 125 000 cycles. Acknowledgements. The authors would like to thank reviewers for their comments and corrections. Research reported in this paper was supported by the Army Research Oﬃce under the award number W911NF1710311. The content is solely the responsibility of the authors and does not necessarily represent the oﬃcial views of the Army Research Oﬃce.
References 1. Azarderakhsh, R., Karabina, K.: Eﬃcient algorithms and architectures for double point multiplication on elliptic curves. In: Proceedings of the Third Workshop on Cryptography and Security in Computing Systems, CS2 2016 (2016) 2. Bernstein, D.: Diﬀerential addition chains. Technical report (2006). http://cr.yp. to/ecdh/diﬀchain20060219.pdf 3. Bos, J.W., Costello, C., Hisil, H., Lauter, K.: Highperformance scalar multiplication using 8dimensional GLV/GLS decomposition. In: Bertoni, G., Coron, J.S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 331–348. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642403491 19 4. Brown, D.: Multidimensional montgomery ladders for elliptic curves. ePrint Archive: Report 2006/220. http://eprint.iacr.org/2006/220 5. Costello, C., Longa, P.: FourQ: fourdimensional decompositions on a Qcurve over the mersenne prime. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 214–235. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662487976 10 6. Hisil, H., Wong, K.K.H., Carter, G., Dawson, E.: Twisted Edwards curves revisited. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 326–343. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540892557 20 7. Hutchinson, A., Karabina, K.: Constructing multidimensional diﬀerential addition chains and their applications. J. Cryptogr. Eng. 1–19 (2017). https://doi.org/10. 1007/s1338901701772 8. Joye, M., Tunstall, M.: Exponent recoding and regular exponentiation algorithms. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 334–349. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642023842 21 9. Montgomery, P.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48, 243–264 (1987) 10. Subramanya Rao, S.R.: Three dimensional montgomery ladder, diﬀerential point tripling on montgomery curves and point quintupling on Weierstrass’ and Edwards curves. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 84–106. Springer, Cham (2016). https://doi.org/10.1007/ 9783319315171 5
Author Index
Azarderakhsh, Reza
Mazumdar, Bodhisatwa 142 Mukhopadhyay, Debdeep 21, 177
37, 125
Bagheri, Nasour 177 Bakos Lang, Elena 125 Bhasin, Shivam 157 Brannigan, Séamus 65 Dalai, Deepak Kumar
O’Neill, Máire
65
Patranabis, Sikhar 21 Picek, Stjepan 157
1
Ghoshal, Ashrujit 21 Gupta, Devansh 142
Rafferty, Ciara 65 Roy, Dibyendu 1
Heuser, Annelie 157 Hisil, Huseyin 198 Hutchinson, Aaron 198
S. Krishnan, Archanaa 104 Saha, Sayandeep 177 Samiotis, Ioannis Petros 157 Satheesh, Varsha 85 Schaumont, Patrick 104 Shanmugam, Dillibabu 85 Singh, Ajeet 52
Jalali, Amir 37 Jao, David 125 Karabina, Koray 198 Kermani, Mehran Mozaffari Khalid, Ayesha 65 Kim, Jaehun 157 Koziel, Brian 125 Legay, Axel
157
37
Tentu, Appala Naidu 52 Tiwari, Vikas 52 Tripathy, Somanath 142 Vafaei, Navid
177